Merge 2610c05b5b95cc7036b3d6dfb894c6cfbdb68483 as Samba-4.0alpha16

24 files changed, 1221 insertions, 493 deletions

diff --git a/source4/scripting/python/pyglue.c b/source4/scripting/python/pyglue.c
index f89785f971..8a82f3502a 100644
--- a/source4/scripting/python/pyglue.c
+++ b/source4/scripting/python/pyglue.c
@@ -25,6 +25,10 @@
 
 void init_glue(void);
 
+#ifndef Py_RETURN_NONE
+#define Py_RETURN_NONE return Py_INCREF(Py_None), Py_None
+#endif
+
 static PyObject *py_generate_random_str(PyObject *self, PyObject *args)
 {
 	int len;
@@ -149,22 +153,22 @@ static PyObject *py_interface_ips(PyObject *self, PyObject *args)
 		return NULL;
 	}
 
-	load_interfaces(tmp_ctx, lpcfg_interfaces(lp_ctx), &ifaces);
+	load_interface_list(tmp_ctx, lp_ctx, &ifaces);
 
-	count = iface_count(ifaces);
+	count = iface_list_count(ifaces);
 
 	/* first count how many are not loopback addresses */
 	for (ifcount = i = 0; i<count; i++) {
-		const char *ip = iface_n_ip(ifaces, i);
-		if (!(!all_interfaces && iface_same_net(ip, "127.0.0.1", "255.0.0.0"))) {
+		const char *ip = iface_list_n_ip(ifaces, i);
+		if (!(!all_interfaces && iface_list_same_net(ip, "127.0.0.1", "255.0.0.0"))) {
 			ifcount++;
 		}
 	}
 
 	pylist = PyList_New(ifcount);
 	for (ifcount = i = 0; i<count; i++) {
-		const char *ip = iface_n_ip(ifaces, i);
-		if (!(!all_interfaces && iface_same_net(ip, "127.0.0.1", "255.0.0.0"))) {
+		const char *ip = iface_list_n_ip(ifaces, i);
+		if (!(!all_interfaces && iface_list_same_net(ip, "127.0.0.1", "255.0.0.0"))) {
 			PyList_SetItem(pylist, ifcount, PyString_FromString(ip));
 			ifcount++;
 		}
@@ -173,6 +177,30 @@ static PyObject *py_interface_ips(PyObject *self, PyObject *args)
 	return pylist;
 }
 
+static PyObject *py_strcasecmp_m(PyObject *self, PyObject *args)
+{
+	char *s1, *s2;
+
+	if (!PyArg_ParseTuple(args, "ss", &s1, &s2))
+		return NULL;
+
+	return PyInt_FromLong(strcasecmp_m(s1, s2));
+}
+
+static PyObject *py_strstr_m(PyObject *self, PyObject *args)
+{
+	char *s1, *s2, *ret;
+
+	if (!PyArg_ParseTuple(args, "ss", &s1, &s2))
+		return NULL;
+
+	ret = strstr_m(s1, s2);
+	if (!ret) {
+		Py_RETURN_NONE;
+	}
+	return PyString_FromString(ret);
+}
+
 static PyMethodDef py_misc_methods[] = {
 	{ "generate_random_str", (PyCFunction)py_generate_random_str, METH_VARARGS,
 		"generate_random_str(len) -> string\n"
@@ -192,6 +220,10 @@ static PyMethodDef py_misc_methods[] = {
 		"get debug level" },
 	{ "interface_ips", (PyCFunction)py_interface_ips, METH_VARARGS,
 		"get interface IP address list"},
+	{ "strcasecmp_m", (PyCFunction)py_strcasecmp_m, METH_VARARGS,
+		"(for testing) compare two strings using Samba's strcasecmp_m()"},
+	{ "strstr_m", (PyCFunction)py_strstr_m, METH_VARARGS,
+		"(for testing) find one string in another with Samba's strstr_m()"},
 	{ NULL }
 };
 
diff --git a/source4/scripting/python/samba/__init__.py b/source4/scripting/python/samba/__init__.py
index 2a54f47d2b..76eb44ce92 100644
--- a/source4/scripting/python/samba/__init__.py
+++ b/source4/scripting/python/samba/__init__.py
@@ -26,6 +26,7 @@ __docformat__ = "restructuredText"
 
 import os
 import sys
+import samba.param
 
 def source_tree_topdir():
     '''return the top level directory (the one containing the source4 directory)'''
@@ -77,8 +78,8 @@ class Ldb(_Ldb):
 
         if modules_dir is not None:
             self.set_modules_dir(modules_dir)
-        elif lp is not None:
-            self.set_modules_dir(os.path.join(lp.get("modules dir"), "ldb"))
+        else:
+            self.set_modules_dir(os.path.join(samba.param.modules_dir(), "ldb"))
 
         if session_info is not None:
             self.set_session_info(session_info)
@@ -348,3 +349,5 @@ nttime2string = _glue.nttime2string
 nttime2unix = _glue.nttime2unix
 unix2nttime = _glue.unix2nttime
 generate_random_password = _glue.generate_random_password
+strcasecmp_m = _glue.strcasecmp_m
+strstr_m = _glue.strstr_m
diff --git a/source4/scripting/python/samba/common.py b/source4/scripting/python/samba/common.py
new file mode 100644
index 0000000000..a2a4962797
--- /dev/null
+++ b/source4/scripting/python/samba/common.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python
+#
+# Samba common functions
+#
+# Copyright (C) Matthieu Patou <mat@matws.net>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+def confirm(msg, forced = False):
+    """confirm an action with the user
+        :param msg: A string to print to the user
+        :param forced: Are the answer forced
+    """
+    if forced:
+        print("%s [YES]" % msg)
+        return True
+
+    v = raw_input(msg + ' [y/N] ')
+    return v.upper() in ['Y', 'YES']
+
+
diff --git a/source4/scripting/python/samba/dbchecker.py b/source4/scripting/python/samba/dbchecker.py
new file mode 100644
index 0000000000..88fd0edf00
--- /dev/null
+++ b/source4/scripting/python/samba/dbchecker.py
@@ -0,0 +1,317 @@
+#!/usr/bin/env python
+#
+# Samba4 AD database checker
+#
+# Copyright (C) Andrew Tridgell 2011
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import ldb
+from samba import dsdb
+from samba import common
+from samba.dcerpc import misc
+
+
+class dsdb_DN(object):
+    '''a class to manipulate DN components'''
+
+    def __init__(self, samdb, dnstring, syntax_oid):
+        if syntax_oid in [ dsdb.DSDB_SYNTAX_BINARY_DN, dsdb.DSDB_SYNTAX_STRING_DN ]:
+            colons = dnstring.split(':')
+            if len(colons) < 4:
+                raise Exception("invalid DN prefix")
+            prefix_len = 4 + len(colons[1]) + int(colons[1])
+            self.prefix = dnstring[0:prefix_len]
+            self.dnstring = dnstring[prefix_len:]
+        else:
+            self.dnstring = dnstring
+            self.prefix = ''
+        try:
+            self.dn = ldb.Dn(samdb, self.dnstring)
+        except Exception, msg:
+            print("ERROR: bad DN string '%s'" % self.dnstring)
+            raise
+
+    def __str__(self):
+        return self.prefix + str(self.dn.extended_str(mode=1))
+
+class dbcheck(object):
+    """check a SAM database for errors"""
+
+    def __init__(self, samdb, samdb_schema=None, verbose=False, fix=False, yes=False, quiet=False):
+        self.samdb = samdb
+        self.samdb_schema = (samdb_schema or samdb)
+        self.verbose = verbose
+        self.fix = fix
+        self.yes = yes
+        self.quiet = quiet
+
+    def check_database(self, DN=None, scope=ldb.SCOPE_SUBTREE, controls=[], attrs=['*']):
+        '''perform a database check, returning the number of errors found'''
+
+        res = self.samdb.search(base=DN, scope=scope, attrs=['dn'], controls=controls)
+        self.report('Checking %u objects' % len(res))
+        error_count = 0
+        for object in res:
+            error_count += self.check_object(object.dn, attrs=attrs)
+        if error_count != 0 and not self.fix:
+            self.report("Please use --fix to fix these errors")
+        self.report('Checked %u objects (%u errors)' % (len(res), error_count))
+
+        return error_count
+
+
+    def report(self, msg):
+        '''print a message unless quiet is set'''
+        if not self.quiet:
+            print(msg)
+
+
+    ################################################################
+    # a local confirm function that obeys the --fix and --yes options
+    def confirm(self, msg):
+        '''confirm a change'''
+        if not self.fix:
+            return False
+        if self.quiet:
+            return self.yes
+        return common.confirm(msg, forced=self.yes)
+
+
+    ################################################################
+    # handle empty attributes
+    def err_empty_attribute(self, dn, attrname):
+        '''fix empty attributes'''
+        self.report("ERROR: Empty attribute %s in %s" % (attrname, dn))
+        if not self.confirm('Remove empty attribute %s from %s?' % (attrname, dn)):
+            self.report("Not fixing empty attribute %s" % attrname)
+            return
+
+        m = ldb.Message()
+        m.dn = dn
+        m[attrname] = ldb.MessageElement('', ldb.FLAG_MOD_DELETE, attrname)
+        if self.verbose:
+            self.report(self.samdb.write_ldif(m, ldb.CHANGETYPE_MODIFY))
+        try:
+            self.samdb.modify(m, controls=["relax:0"], validate=False)
+        except Exception, msg:
+            self.report("Failed to remove empty attribute %s : %s" % (attrname, msg))
+            return
+        self.report("Removed empty attribute %s" % attrname)
+
+
+    ################################################################
+    # handle normalisation mismatches
+    def err_normalise_mismatch(self, dn, attrname, values):
+        '''fix attribute normalisation errors'''
+        self.report("ERROR: Normalisation error for attribute %s in %s" % (attrname, dn))
+        mod_list = []
+        for val in values:
+            normalised = self.samdb.dsdb_normalise_attributes(self.samdb_schema, attrname, [val])
+            if len(normalised) != 1:
+                self.report("Unable to normalise value '%s'" % val)
+                mod_list.append((val, ''))
+            elif (normalised[0] != val):
+                self.report("value '%s' should be '%s'" % (val, normalised[0]))
+                mod_list.append((val, normalised[0]))
+        if not self.confirm('Fix normalisation for %s from %s?' % (attrname, dn)):
+            self.report("Not fixing attribute %s" % attrname)
+            return
+
+        m = ldb.Message()
+        m.dn = dn
+        for i in range(0, len(mod_list)):
+            (val, nval) = mod_list[i]
+            m['value_%u' % i] = ldb.MessageElement(val, ldb.FLAG_MOD_DELETE, attrname)
+            if nval != '':
+                m['normv_%u' % i] = ldb.MessageElement(nval, ldb.FLAG_MOD_ADD, attrname)
+
+        if self.verbose:
+            self.report(self.samdb.write_ldif(m, ldb.CHANGETYPE_MODIFY))
+        try:
+            self.samdb.modify(m, controls=["relax:0"], validate=False)
+        except Exception, msg:
+            self.report("Failed to normalise attribute %s : %s" % (attrname, msg))
+            return
+        self.report("Normalised attribute %s" % attrname)
+
+    def is_deleted_objects_dn(self, dsdb_dn):
+        '''see if a dsdb_DN is the special Deleted Objects DN'''
+        return dsdb_dn.prefix == "B:32:18E2EA80684F11D2B9AA00C04F79F805:"
+
+
+    ################################################################
+    # handle a missing GUID extended DN component
+    def err_incorrect_dn_GUID(self, dn, attrname, val, dsdb_dn, errstr):
+        self.report("ERROR: %s component for %s in object %s - %s" % (errstr, attrname, dn, val))
+        controls=["extended_dn:1:1"]
+        if self.is_deleted_objects_dn(dsdb_dn):
+            controls.append("show_deleted:1")
+        try:
+            res = self.samdb.search(base=str(dsdb_dn.dn), scope=ldb.SCOPE_BASE,
+                                    attrs=[], controls=controls)
+        except ldb.LdbError, (enum, estr):
+            self.report("unable to find object for DN %s - cannot fix (%s)" % (dsdb_dn.dn, estr))
+            return
+        dsdb_dn.dn = res[0].dn
+
+        if not self.confirm('Change DN to %s?' % str(dsdb_dn)):
+            self.report("Not fixing %s" % errstr)
+            return
+        m = ldb.Message()
+        m.dn = dn
+        m['old_value'] = ldb.MessageElement(val, ldb.FLAG_MOD_DELETE, attrname)
+        m['new_value'] = ldb.MessageElement(str(dsdb_dn), ldb.FLAG_MOD_ADD, attrname)
+        if self.verbose:
+            self.report(self.samdb.write_ldif(m, ldb.CHANGETYPE_MODIFY))
+        try:
+            self.samdb.modify(m)
+        except Exception, msg:
+            self.report("Failed to fix %s on attribute %s : %s" % (errstr, attrname, msg))
+            return
+        self.report("Fixed %s on attribute %s" % (errstr, attrname))
+
+
+    ################################################################
+    # handle a DN pointing to a deleted object
+    def err_deleted_dn(self, dn, attrname, val, dsdb_dn, correct_dn):
+        self.report("ERROR: target DN is deleted for %s in object %s - %s" % (attrname, dn, val))
+        self.report("Target GUID points at deleted DN %s" % correct_dn)
+        if not self.confirm('Remove DN?'):
+            self.report("Not removing")
+            return
+        m = ldb.Message()
+        m.dn = dn
+        m['old_value'] = ldb.MessageElement(val, ldb.FLAG_MOD_DELETE, attrname)
+        if self.verbose:
+            self.report(self.samdb.write_ldif(m, ldb.CHANGETYPE_MODIFY))
+        try:
+            self.samdb.modify(m)
+        except Exception, msg:
+            self.report("Failed to remove deleted DN attribute %s : %s" % (attrname, msg))
+            return
+        self.report("Removed deleted DN on attribute %s" % attrname)
+
+
+    ################################################################
+    # handle a DN string being incorrect
+    def err_dn_target_mismatch(self, dn, attrname, val, dsdb_dn, correct_dn, errstr):
+        self.report("ERROR: incorrect DN string component for %s in object %s - %s" % (attrname, dn, val))
+        dsdb_dn.dn = correct_dn
+
+        if not self.confirm('Change DN to %s?' % str(dsdb_dn)):
+            self.report("Not fixing %s" % errstr)
+            return
+        m = ldb.Message()
+        m.dn = dn
+        m['old_value'] = ldb.MessageElement(val, ldb.FLAG_MOD_DELETE, attrname)
+        m['new_value'] = ldb.MessageElement(str(dsdb_dn), ldb.FLAG_MOD_ADD, attrname)
+        if self.verbose:
+            self.report(self.samdb.write_ldif(m, ldb.CHANGETYPE_MODIFY))
+        try:
+            self.samdb.modify(m)
+        except Exception, msg:
+            self.report("Failed to fix incorrect DN string on attribute %s : %s" % (attrname, msg))
+            return
+        self.report("Fixed incorrect DN string on attribute %s" % (attrname))
+
+
+    ################################################################
+    # specialised checking for a dn attribute
+    def check_dn(self, obj, attrname, syntax_oid):
+        '''check a DN attribute for correctness'''
+        error_count = 0
+        for val in obj[attrname]:
+            dsdb_dn = dsdb_DN(self.samdb, val, syntax_oid)
+
+            # all DNs should have a GUID component
+            guid = dsdb_dn.dn.get_extended_component("GUID")
+            if guid is None:
+                error_count += 1
+                self.err_incorrect_dn_GUID(obj.dn, attrname, val, dsdb_dn, "missing GUID")
+                continue
+
+            guidstr = str(misc.GUID(guid))
+
+            # check its the right GUID
+            try:
+                res = self.samdb.search(base="<GUID=%s>" % guidstr, scope=ldb.SCOPE_BASE,
+                                        attrs=['isDeleted'], controls=["extended_dn:1:1", "show_deleted:1"])
+            except ldb.LdbError, (enum, estr):
+                error_count += 1
+                self.err_incorrect_dn_GUID(obj.dn, attrname, val, dsdb_dn, "incorrect GUID")
+                continue
+
+            # the target DN might be deleted
+            if ((not self.is_deleted_objects_dn(dsdb_dn)) and
+                'isDeleted' in res[0] and
+                res[0]['isDeleted'][0].upper() == "TRUE"):
+                # note that we don't check this for the special wellKnownObjects prefix
+                # for Deleted Objects, as we expect that to be deleted
+                error_count += 1
+                self.err_deleted_dn(obj.dn, attrname, val, dsdb_dn, res[0].dn)
+                continue
+
+            # check the DN matches in string form
+            if res[0].dn.extended_str() != dsdb_dn.dn.extended_str():
+                error_count += 1
+                self.err_dn_target_mismatch(obj.dn, attrname, val, dsdb_dn,
+                                            res[0].dn, "incorrect string version of DN")
+                continue
+
+        return error_count
+
+
+
+    ################################################################
+    # check one object - calls to individual error handlers above
+    def check_object(self, dn, attrs=['*']):
+        '''check one object'''
+        if self.verbose:
+            self.report("Checking object %s" % dn)
+        res = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, controls=["extended_dn:1:1"], attrs=attrs)
+        if len(res) != 1:
+            self.report("Object %s disappeared during check" % dn)
+            return 1
+        obj = res[0]
+        error_count = 0
+        for attrname in obj:
+            if attrname == 'dn':
+                continue
+
+            # check for empty attributes
+            for val in obj[attrname]:
+                if val == '':
+                    self.err_empty_attribute(dn, attrname)
+                    error_count += 1
+                    continue
+
+            # get the syntax oid for the attribute, so we can can have
+            # special handling for some specific attribute types
+            syntax_oid = self.samdb_schema.get_syntax_oid_from_lDAPDisplayName(attrname)
+
+            if syntax_oid in [ dsdb.DSDB_SYNTAX_BINARY_DN, dsdb.DSDB_SYNTAX_OR_NAME,
+                               dsdb.DSDB_SYNTAX_STRING_DN, ldb.LDB_SYNTAX_DN ]:
+                # it's some form of DN, do specialised checking on those
+                error_count += self.check_dn(obj, attrname, syntax_oid)
+
+            # check for incorrectly normalised attributes
+            for val in obj[attrname]:
+                normalised = self.samdb.dsdb_normalise_attributes(self.samdb_schema, attrname, [val])
+                if len(normalised) != 1 or normalised[0] != val:
+                    self.err_normalise_mismatch(dn, attrname, obj[attrname])
+                    error_count += 1
+                    break
+        return error_count
diff --git a/source4/scripting/python/samba/hostconfig.py b/source4/scripting/python/samba/hostconfig.py
index 3e6dc6b1dd..c50b944c98 100644
--- a/source4/scripting/python/samba/hostconfig.py
+++ b/source4/scripting/python/samba/hostconfig.py
@@ -37,7 +37,7 @@ class Hostconfig(object):
         :param session_info: Session info to use
         :param credentials: Credentials to access the SamDB with
         """
-        return SamDB(url=self.lp.get("sam database"),
+        return SamDB(url=self.lp.samdb_url(),
                      session_info=session_info, credentials=credentials,
                      lp=self.lp)
 
diff --git a/source4/scripting/python/samba/idmap.py b/source4/scripting/python/samba/idmap.py
index 93fca46edd..9d957341de 100644
--- a/source4/scripting/python/samba/idmap.py
+++ b/source4/scripting/python/samba/idmap.py
@@ -41,7 +41,7 @@ class IDmapDB(samba.Ldb):
 
         self.lp = lp
         if url is None:
-                url = lp.get("idmap database")
+                url = lp.private_path("idmap.ldb")
 
         super(IDmapDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir,
                 session_info=session_info, credentials=credentials, flags=flags,
diff --git a/source4/scripting/python/samba/join.py b/source4/scripting/python/samba/join.py
index c0aee71407..b586e2cd5b 100644
--- a/source4/scripting/python/samba/join.py
+++ b/source4/scripting/python/samba/join.py
@@ -36,6 +36,11 @@ import talloc
 # this makes debugging easier
 talloc.enable_null_tracking()
 
+class DCJoinException(Exception):
+
+    def __init__(self, msg):
+        super(DCJoinException, self).__init__("Can't join, error: %s" % msg)
+
 
 class dc_join(object):
     '''perform a DC join'''
@@ -62,6 +67,12 @@ class dc_join(object):
                           session_info=system_session(),
                           credentials=ctx.creds, lp=ctx.lp)
 
+        try:
+            ctx.samdb.search(scope=ldb.SCOPE_ONELEVEL, attrs=["dn"])
+        except ldb.LdbError, (enum, estr):
+            raise DCJoinException(estr)
+
+
         ctx.myname = netbios_name
         ctx.samname = "%s$" % ctx.myname
         ctx.base_dn = str(ctx.samdb.get_default_basedn())
diff --git a/source4/scripting/python/samba/netcmd/__init__.py b/source4/scripting/python/samba/netcmd/__init__.py
index cf514d5c49..1373cb289b 100644
--- a/source4/scripting/python/samba/netcmd/__init__.py
+++ b/source4/scripting/python/samba/netcmd/__init__.py
@@ -2,6 +2,7 @@
 
 # Unix SMB/CIFS implementation.
 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2009
+# Copyright (C) Theresa Halloran <theresahalloran@gmail.com> 2011
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -179,10 +180,6 @@ from samba.netcmd.domainlevel import cmd_domainlevel
 commands["domainlevel"] = cmd_domainlevel()
 from samba.netcmd.setpassword import cmd_setpassword
 commands["setpassword"] = cmd_setpassword()
-from samba.netcmd.setexpiry import cmd_setexpiry
-commands["setexpiry"] = cmd_setexpiry()
-from samba.netcmd.enableaccount import cmd_enableaccount
-commands["enableaccount"] = cmd_enableaccount()
 from samba.netcmd.newuser import cmd_newuser
 commands["newuser"] = cmd_newuser()
 from samba.netcmd.netacl import cmd_acl
@@ -215,3 +212,5 @@ from samba.netcmd.ldapcmp import cmd_ldapcmp
 commands["ldapcmp"] = cmd_ldapcmp()
 from samba.netcmd.testparm import cmd_testparm
 commands["testparm"] =  cmd_testparm()
+from samba.netcmd.dbcheck import cmd_dbcheck
+commands["dbcheck"] =  cmd_dbcheck()
diff --git a/source4/scripting/python/samba/netcmd/dbcheck.py b/source4/scripting/python/samba/netcmd/dbcheck.py
new file mode 100644
index 0000000000..3cc50eb814
--- /dev/null
+++ b/source4/scripting/python/samba/netcmd/dbcheck.py
@@ -0,0 +1,104 @@
+#!/usr/bin/env python
+#
+# Samba4 AD database checker
+#
+# Copyright (C) Andrew Tridgell 2011
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import ldb, sys
+import samba.getopt as options
+from samba.auth import system_session
+from samba.samdb import SamDB
+from samba.netcmd import (
+    Command,
+    CommandError,
+    Option
+    )
+from samba.dbchecker import dbcheck
+
+
+class cmd_dbcheck(Command):
+    """check local AD database for errors"""
+    synopsis = "dbcheck <DN> [options]"
+
+    takes_optiongroups = {
+        "sambaopts": options.SambaOptions,
+        "versionopts": options.VersionOptions,
+        "credopts": options.CredentialsOptionsDouble,
+    }
+
+    takes_args = ["DN?"]
+
+    takes_options = [
+        Option("--scope", dest="scope", default="SUB",
+            help="Pass search scope that builds DN list. Options: SUB, ONE, BASE"),
+        Option("--fix", dest="fix", default=False, action='store_true',
+               help='Fix any errors found'),
+        Option("--yes", dest="yes", default=False, action='store_true',
+               help="don't confirm changes, just do them all as a single transaction"),
+        Option("--cross-ncs", dest="cross_ncs", default=False, action='store_true',
+               help="cross naming context boundaries"),
+        Option("-v", "--verbose", dest="verbose", action="store_true", default=False,
+            help="Print more details of checking"),
+        Option("--quiet", dest="quiet", action="store_true", default=False,
+            help="don't print details of checking"),
+        Option("--attrs", dest="attrs", default=None, help="list of attributes to check (space separated)"),
+        Option("-H", help="LDB URL for database or target server (defaults to local SAM database)", type=str),
+        ]
+
+    def run(self, DN=None, H=None, verbose=False, fix=False, yes=False, cross_ncs=False, quiet=False,
+            scope="SUB", credopts=None, sambaopts=None, versionopts=None, attrs=None):
+
+        lp = sambaopts.get_loadparm()
+        creds = credopts.get_credentials(lp, fallback_machine=True)
+
+        samdb = SamDB(session_info=system_session(), url=H,
+                      credentials=creds, lp=lp)
+        if H is None:
+            samdb_schema = samdb
+        else:
+            samdb_schema = SamDB(session_info=system_session(), url=None,
+                                 credentials=creds, lp=lp)
+
+        scope_map = { "SUB": ldb.SCOPE_SUBTREE, "BASE":ldb.SCOPE_BASE, "ONE":ldb.SCOPE_ONELEVEL }
+        scope = scope.upper()
+        if not scope in scope_map:
+            raise CommandError("Unknown scope %s" % scope)
+        search_scope = scope_map[scope]
+
+        controls = []
+        if H is not None:
+            controls.append('paged_results:1:1000')
+        if cross_ncs:
+            controls.append("search_options:1:2")
+
+        if not attrs:
+            attrs = ['*']
+        else:
+            attrs = attrs.split()
+
+        if yes and fix:
+            samdb.transaction_start()
+
+        chk = dbcheck(samdb, samdb_schema=samdb_schema, verbose=verbose, fix=fix, yes=yes, quiet=quiet)
+        error_count = chk.check_database(DN=DN, scope=search_scope, controls=controls, attrs=attrs)
+
+        if yes and fix:
+            samdb.transaction_commit()
+
+        if error_count != 0:
+            sys.exit(1)
+
diff --git a/source4/scripting/python/samba/netcmd/drs.py b/source4/scripting/python/samba/netcmd/drs.py
index 56c0e39a59..61717a70e9 100644
--- a/source4/scripting/python/samba/netcmd/drs.py
+++ b/source4/scripting/python/samba/netcmd/drs.py
@@ -233,6 +233,39 @@ class cmd_drs_kcc(Command):
         self.message("Consistency check on %s successful." % DC)
 
 
+def drs_local_replicate(self, SOURCE_DC, NC):
+    '''replicate from a source DC to the local SAM'''
+    self.server = SOURCE_DC
+    drsuapi_connect(self)
+
+    self.local_samdb = SamDB(session_info=system_session(), url=None,
+                             credentials=self.creds, lp=self.lp)
+
+    self.samdb = SamDB(url="ldap://%s" % self.server,
+                       session_info=system_session(),
+                       credentials=self.creds, lp=self.lp)
+
+    # work out the source and destination GUIDs
+    res = self.local_samdb.search(base="", scope=ldb.SCOPE_BASE, attrs=["dsServiceName"])
+    self.ntds_dn = res[0]["dsServiceName"][0]
+
+    res = self.local_samdb.search(base=self.ntds_dn, scope=ldb.SCOPE_BASE, attrs=["objectGUID"])
+    self.ntds_guid = misc.GUID(self.samdb.schema_format_value("objectGUID", res[0]["objectGUID"][0]))
+
+
+    source_dsa_invocation_id = misc.GUID(self.samdb.get_invocation_id())
+    destination_dsa_guid = self.ntds_guid
+
+    self.samdb.transaction_start()
+    repl = drs_utils.drs_Replicate("ncacn_ip_tcp:%s[seal]" % self.server, self.lp,
+                                   self.creds, self.local_samdb)
+    try:
+        repl.replicate(NC, source_dsa_invocation_id, destination_dsa_guid)
+    except Exception, e:
+        raise CommandError("Error replicating DN %s" % NC, e)
+    self.samdb.transaction_commit()
+
+
 
 class cmd_drs_replicate(Command):
     """replicate a naming context between two DCs"""
@@ -250,9 +283,10 @@ class cmd_drs_replicate(Command):
     takes_options = [
         Option("--add-ref", help="use ADD_REF to add to repsTo on source", action="store_true"),
         Option("--sync-forced", help="use SYNC_FORCED to force inbound replication", action="store_true"),
+        Option("--local", help="pull changes directly into the local database (destination DC is ignored)", action="store_true"),
         ]
 
-    def run(self, DEST_DC, SOURCE_DC, NC, add_ref=False, sync_forced=False,
+    def run(self, DEST_DC, SOURCE_DC, NC, add_ref=False, sync_forced=False, local=False,
             sambaopts=None,
             credopts=None, versionopts=None, server=None):
 
@@ -261,6 +295,10 @@ class cmd_drs_replicate(Command):
 
         self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
 
+        if local:
+            drs_local_replicate(self, SOURCE_DC, NC)
+            return
+
         drsuapi_connect(self)
         samdb_connect(self)
 
diff --git a/source4/scripting/python/samba/netcmd/enableaccount.py b/source4/scripting/python/samba/netcmd/enableaccount.py
deleted file mode 100644
index 3ceddb3fd9..0000000000
--- a/source4/scripting/python/samba/netcmd/enableaccount.py
+++ /dev/null
@@ -1,60 +0,0 @@
-#!/usr/bin/env python
-#
-# Enables an user account on a Samba4 server
-# Copyright Jelmer Vernooij 2008
-#
-# Based on the original in EJS:
-# Copyright Andrew Tridgell 2005
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-import samba.getopt as options
-
-from samba.auth import system_session
-from samba.netcmd import Command, CommandError, Option
-from samba.samdb import SamDB
-
-class cmd_enableaccount(Command):
-    """Enables a user"""
-
-    synopsis = "enableaccount [username] [options]"
-
-    takes_optiongroups = {
-        "sambaopts": options.SambaOptions,
-        "versionopts": options.VersionOptions,
-        "credopts": options.CredentialsOptions,
-    }
-
-    takes_options = [
-        Option("-H", help="LDB URL for database or target server", type=str),
-        Option("--filter", help="LDAP Filter to set password on", type=str),
-        ]
-
-    takes_args = ["username?"]
-
-    def run(self, username=None, sambaopts=None, credopts=None,
-            versionopts=None, filter=None, H=None):
-        if username is None and filter is None:
-            raise CommandError("Either the username or '--filter' must be specified!")
-
-        if filter is None:
-            filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username)
-
-        lp = sambaopts.get_loadparm()
-        creds = credopts.get_credentials(lp, fallback_machine=True)
-
-        samdb = SamDB(url=H, session_info=system_session(),
-            credentials=creds, lp=lp)
-        samdb.enable_account(filter)
diff --git a/source4/scripting/python/samba/netcmd/gpo.py b/source4/scripting/python/samba/netcmd/gpo.py
index 19007b361c..fac9167076 100644
--- a/source4/scripting/python/samba/netcmd/gpo.py
+++ b/source4/scripting/python/samba/netcmd/gpo.py
@@ -126,7 +126,7 @@ class cmd_listall(Command):
             print("display name : %s" % m['displayName'][0])
             print("path         : %s" % m['gPCFileSysPath'][0])
             print("dn           : %s" % m.dn)
-            print("version      : %s" % attr_default(m, 'version', '0'))
+            print("version      : %s" % attr_default(m, 'versionNumber', '0'))
             print("flags        : %s" % flags_string(gpo_flags, int(attr_default(m, 'flags', 0))))
             print("")
 
diff --git a/source4/scripting/python/samba/netcmd/group.py b/source4/scripting/python/samba/netcmd/group.py
index 620a7be866..95db21adfc 100644
--- a/source4/scripting/python/samba/netcmd/group.py
+++ b/source4/scripting/python/samba/netcmd/group.py
@@ -85,6 +85,7 @@ class cmd_group_add(Command):
                           description=description, mailaddress=mail_address, notes=notes)
         except Exception, e:
             raise CommandError('Failed to create group "%s"' % groupname, e)
+        print("Added group %s" % groupname)
 
 
 class cmd_group_delete(Command):
@@ -115,6 +116,7 @@ class cmd_group_delete(Command):
             samdb.deletegroup(groupname)
         except Exception, e:
             raise CommandError('Failed to remove group "%s"' % groupname, e)
+        print("Deleted group %s" % groupname)
 
 
 class cmd_group_add_members(Command):
@@ -146,6 +148,7 @@ class cmd_group_add_members(Command):
             samdb.add_remove_group_members(groupname, listofmembers, add_members_operation=True)
         except Exception, e:
             raise CommandError('Failed to add members "%s" to group "%s"' % (listofmembers, groupname), e)
+        print("Added members to group %s" % groupname)
 
 
 class cmd_group_remove_members(Command):
@@ -177,6 +180,7 @@ class cmd_group_remove_members(Command):
             samdb.add_remove_group_members(groupname, listofmembers, add_members_operation=False)
         except Exception, e:
             raise CommandError('Failed to remove members "%s" from group "%s"' % (listofmembers, groupname), e)
+        print("Removed members from group %s" % groupname)
 
 
 class cmd_group(SuperCommand):
diff --git a/source4/scripting/python/samba/netcmd/join.py b/source4/scripting/python/samba/netcmd/join.py
index 507253ab81..820709c9e3 100644
--- a/source4/scripting/python/samba/netcmd/join.py
+++ b/source4/scripting/python/samba/netcmd/join.py
@@ -22,7 +22,7 @@ import samba.getopt as options
 
 from samba.net import Net, LIBNET_JOIN_AUTOMATIC
 from samba.netcmd import Command, CommandError, Option
-from samba.dcerpc.misc import SEC_CHAN_WKSTA, SEC_CHAN_BDC
+from samba.dcerpc.misc import SEC_CHAN_WKSTA
 from samba.join import join_RODC, join_DC
 
 class cmd_join(Command):
@@ -39,12 +39,13 @@ class cmd_join(Command):
     takes_options = [
         Option("--server", help="DC to join", type=str),
         Option("--site", help="site to join", type=str),
+        Option("--targetdir", help="where to store provision", type=str),
         ]
 
     takes_args = ["domain", "role?"]
 
     def run(self, domain, role=None, sambaopts=None, credopts=None,
-            versionopts=None, server=None, site=None):
+            versionopts=None, server=None, site=None, targetdir=None):
         lp = sambaopts.get_loadparm()
         creds = credopts.get_credentials(lp)
         net = Net(creds, lp, server=credopts.ipaddress)
@@ -58,21 +59,20 @@ class cmd_join(Command):
             role = role.upper()
 
         if role is None or role == "MEMBER":
-            secure_channel_type = SEC_CHAN_WKSTA
+            (join_password, sid, domain_name) = net.join_member(domain,
+                                                                netbios_name,
+                                                                LIBNET_JOIN_AUTOMATIC)
+
+            self.outf.write("Joined domain %s (%s)\n" % (domain_name, sid))
+            return
+
         elif role == "DC":
             join_DC(server=server, creds=creds, lp=lp, domain=domain,
-                    site=site, netbios_name=netbios_name)
+                    site=site, netbios_name=netbios_name, targetdir=targetdir)
             return
         elif role == "RODC":
             join_RODC(server=server, creds=creds, lp=lp, domain=domain,
-                      site=site, netbios_name=netbios_name)
+                      site=site, netbios_name=netbios_name, targetdir=targetdir)
             return
         else:
             raise CommandError("Invalid role %s (possible values: MEMBER, BDC, RODC)" % role)
-
-        (join_password, sid, domain_name) = net.join(domain,
-                                                     netbios_name,
-                                                     secure_channel_type,
-                                                     LIBNET_JOIN_AUTOMATIC)
-
-        self.outf.write("Joined domain %s (%s)\n" % (domain_name, sid))
diff --git a/source4/scripting/python/samba/netcmd/setexpiry.py b/source4/scripting/python/samba/netcmd/setexpiry.py
deleted file mode 100644
index bd8ea166fa..0000000000
--- a/source4/scripting/python/samba/netcmd/setexpiry.py
+++ /dev/null
@@ -1,67 +0,0 @@
-#!/usr/bin/env python
-#
-# Sets the user password expiry on a Samba4 server
-# Copyright Jelmer Vernooij 2008
-#
-# Based on the original in EJS:
-# Copyright Andrew Tridgell 2005
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-from samba.netcmd import Command, CommandError, Option
-
-import samba.getopt as options
-
-from samba.auth import system_session
-from samba.samdb import SamDB
-
-class cmd_setexpiry(Command):
-    """Sets the expiration of a user account"""
-
-    synopsis = "setexpiry [username] [options]"
-
-    takes_optiongroups = {
-        "sambaopts": options.SambaOptions,
-        "versionopts": options.VersionOptions,
-        "credopts": options.CredentialsOptions,
-    }
-
-    takes_options = [
-        Option("-H", help="LDB URL for database or target server", type=str),
-        Option("--filter", help="LDAP Filter to set password on", type=str),
-        Option("--days", help="Days to expiry", type=int),
-        Option("--noexpiry", help="Password does never expire", action="store_true"),
-    ]
-
-    takes_args = ["username?"]
-
-    def run(self, username=None, sambaopts=None, credopts=None,
-            versionopts=None, H=None, filter=None, days=None, noexpiry=None):
-        if username is None and filter is None:
-            raise CommandError("Either the username or '--filter' must be specified!")
-
-        if filter is None:
-            filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username)
-
-        lp = sambaopts.get_loadparm()
-        creds = credopts.get_credentials(lp)
-
-        if days is None:
-            days = 0
-
-        samdb = SamDB(url=H, session_info=system_session(),
-            credentials=creds, lp=lp)
-
-        samdb.setexpiry(filter, days*24*3600, no_expiry_req=noexpiry)
diff --git a/source4/scripting/python/samba/netcmd/user.py b/source4/scripting/python/samba/netcmd/user.py
index a5750b5010..6acf52d790 100644
--- a/source4/scripting/python/samba/netcmd/user.py
+++ b/source4/scripting/python/samba/netcmd/user.py
@@ -3,6 +3,7 @@
 # user management
 #
 # Copyright Jelmer Vernooij 2010 <jelmer@samba.org>
+# Copyright Theresa Halloran 2011 <theresahalloran@gmail.com>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -19,6 +20,10 @@
 #
 
 import samba.getopt as options
+import sys
+from samba.auth import system_session
+from samba.samdb import SamDB
+
 
 from samba.net import Net
 
@@ -26,6 +31,7 @@ from samba.netcmd import (
     Command,
     CommandError,
     SuperCommand,
+    Option,
     )
 
 class cmd_user_add(Command):
@@ -70,6 +76,86 @@ class cmd_user_delete(Command):
         except RuntimeError, msg:
             raise CommandError("Failed to delete user %s: %s" % (name, msg))
 
+class cmd_user_enable(Command):
+    """Enables a user"""
+
+    synopsis = "%prog user enable <username> [options]"
+
+
+    takes_optiongroups = {
+        "sambaopts": options.SambaOptions,
+        "versionopts": options.VersionOptions,
+        "credopts": options.CredentialsOptions,
+    }
+
+    takes_options = [
+        Option("-H", help="LDB URL for database or target server", type=str),
+        Option("--filter", help="LDAP Filter to set password on", type=str),
+        ]
+
+    takes_args = ["username?"]
+
+    def run(self, username=None, sambaopts=None, credopts=None,
+            versionopts=None, filter=None, H=None):
+        if username is None and filter is None:
+            raise CommandError("Either the username or '--filter' must be specified!")
+
+        if filter is None:
+            filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username)
+
+        lp = sambaopts.get_loadparm()
+        creds = credopts.get_credentials(lp, fallback_machine=True)
+
+        samdb = SamDB(url=H, session_info=system_session(),
+            credentials=creds, lp=lp)
+        try:
+            samdb.enable_account(filter)
+        except Exception, msg:
+            raise CommandError("Failed to enable user %s: %s" % (username or filter, msg))
+        print("Enabled user %s" % (username or filter))
+
+
+class cmd_user_setexpiry(Command):
+    """Sets the expiration of a user account"""
+
+    synopsis = "%prog user setexpiry <username> [options]"
+
+    takes_optiongroups = {
+        "sambaopts": options.SambaOptions,
+        "versionopts": options.VersionOptions,
+        "credopts": options.CredentialsOptions,
+    }
+
+    takes_options = [
+        Option("-H", help="LDB URL for database or target server", type=str),
+        Option("--filter", help="LDAP Filter to set password on", type=str),
+        Option("--days", help="Days to expiry", type=int),
+        Option("--noexpiry", help="Password does never expire", action="store_true"),
+    ]
+
+    takes_args = ["username?"]
+    def run(self, username=None, sambaopts=None, credopts=None,
+            versionopts=None, H=None, filter=None, days=None, noexpiry=None):
+        if username is None and filter is None:
+            raise CommandError("Either the username or '--filter' must be specified!")
+
+        if filter is None:
+            filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username)
+
+        lp = sambaopts.get_loadparm()
+        creds = credopts.get_credentials(lp)
+
+        if days is None:
+            days = 0
+
+        samdb = SamDB(url=H, session_info=system_session(),
+            credentials=creds, lp=lp)
+
+        try:
+            samdb.setexpiry(filter, days*24*3600, no_expiry_req=noexpiry)
+        except Exception, msg:
+            raise CommandError("Failed to set expiry for user %s: %s" % (username or filter, msg))
+        print("Set expiry for user %s to %u days" % (username or filter, days))
 
 class cmd_user(SuperCommand):
     """User management [server connection needed]"""
@@ -77,4 +163,5 @@ class cmd_user(SuperCommand):
     subcommands = {}
     subcommands["add"] = cmd_user_add()
     subcommands["delete"] = cmd_user_delete()
-
+    subcommands["enable"] = cmd_user_enable()
+    subcommands["setexpiry"] = cmd_user_setexpiry()
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index ff9b00122d..5aabd36c1a 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -38,23 +38,23 @@ import uuid
 import socket
 import urllib
 import shutil
+import string
 
 import ldb
 
 from samba.auth import system_session, admin_session
 import samba
+from samba.dsdb import DS_DOMAIN_FUNCTION_2000
 from samba import (
     Ldb,
     check_all_substituted,
-    in_source_tree,
-    source_tree_topdir,
     read_and_sub_file,
     setup_file,
     substitute_var,
     valid_netbios_name,
     version,
     )
-from samba.dcerpc import security
+from samba.dcerpc import security, misc
 from samba.dcerpc.misc import (
     SEC_CHAN_BDC,
     SEC_CHAN_WKSTA,
@@ -94,19 +94,6 @@ def setup_path(file):
 
 # "get_schema_descriptor" is located in "schema.py"
 
-def get_sites_descriptor(domain_sid):
-    sddl = "D:(A;;RPLCLORC;;;AU)" \
-           "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \
-           "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
-           "S:AI(AU;CISA;CCDCSDDT;;;WD)" \
-           "(OU;CIIOSA;CR;;f0f8ffab-1191-11d0-a060-00aa006c33ed;WD)" \
-           "(OU;CIIOSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \
-           "(OU;CIIOSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \
-           "(OU;CIIOSA;WP;3e10944c-c354-11d0-aff8-0000f80367c1;b7b13124-b82e-11d0-afee-0000f80367c1;WD)"
-    sec = security.descriptor.from_sddl(sddl, domain_sid)
-    return ndr_pack(sec)
-
-
 def get_config_descriptor(domain_sid):
     sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
            "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
@@ -217,8 +204,112 @@ class ProvisionNames(object):
         self.sitename = None
         self.smbconf = None
 
+def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, lp):
+    """Get key provision parameters (realm, domain, ...) from a given provision
+
+    :param samdb: An LDB object connected to the sam.ldb file
+    :param secretsdb: An LDB object connected to the secrets.ldb file
+    :param idmapdb: An LDB object connected to the idmap.ldb file
+    :param paths: A list of path to provision object
+    :param smbconf: Path to the smb.conf file
+    :param lp: A LoadParm object
+    :return: A list of key provision parameters
+    """
+    names = ProvisionNames()
+    names.adminpass = None
+
+    # NT domain, kerberos realm, root dn, domain dn, domain dns name
+    names.domain = string.upper(lp.get("workgroup"))
+    names.realm = lp.get("realm")
+    basedn = "DC=" + names.realm.replace(".",",DC=")
+    names.dnsdomain = names.realm.lower()
+    names.realm = string.upper(names.realm)
+    # netbiosname
+    # Get the netbiosname first (could be obtained from smb.conf in theory)
+    res = secretsdb.search(expression="(flatname=%s)" %
+                            names.domain,base="CN=Primary Domains",
+                            scope=ldb.SCOPE_SUBTREE, attrs=["sAMAccountName"])
+    names.netbiosname = str(res[0]["sAMAccountName"]).replace("$","")
+
+    names.smbconf = smbconf
+
+    # That's a bit simplistic but it's ok as long as we have only 3
+    # partitions
+    current = samdb.search(expression="(objectClass=*)",
+        base="", scope=ldb.SCOPE_BASE,
+        attrs=["defaultNamingContext", "schemaNamingContext",
+               "configurationNamingContext","rootDomainNamingContext"])
+
+    names.configdn = current[0]["configurationNamingContext"]
+    configdn = str(names.configdn)
+    names.schemadn = current[0]["schemaNamingContext"]
+    if not (ldb.Dn(samdb, basedn) == (ldb.Dn(samdb,
+                                       current[0]["defaultNamingContext"][0]))):
+        raise ProvisioningError(("basedn in %s (%s) and from %s (%s)"
+                                 "is not the same ..." % (paths.samdb,
+                                    str(current[0]["defaultNamingContext"][0]),
+                                    paths.smbconf, basedn)))
+
+    names.domaindn=current[0]["defaultNamingContext"]
+    names.rootdn=current[0]["rootDomainNamingContext"]
+    # default site name
+    res3 = samdb.search(expression="(objectClass=site)",
+        base="CN=Sites," + configdn, scope=ldb.SCOPE_ONELEVEL, attrs=["cn"])
+    names.sitename = str(res3[0]["cn"])
+
+    # dns hostname and server dn
+    res4 = samdb.search(expression="(CN=%s)" % names.netbiosname,
+                            base="OU=Domain Controllers,%s" % basedn,
+                            scope=ldb.SCOPE_ONELEVEL, attrs=["dNSHostName"])
+    names.hostname = str(res4[0]["dNSHostName"]).replace("." + names.dnsdomain,"")
+
+    server_res = samdb.search(expression="serverReference=%s" % res4[0].dn,
+                                attrs=[], base=configdn)
+    names.serverdn = server_res[0].dn
+
+    # invocation id/objectguid
+    res5 = samdb.search(expression="(objectClass=*)",
+            base="CN=NTDS Settings,%s" % str(names.serverdn), scope=ldb.SCOPE_BASE,
+            attrs=["invocationID", "objectGUID"])
+    names.invocation = str(ndr_unpack(misc.GUID, res5[0]["invocationId"][0]))
+    names.ntdsguid = str(ndr_unpack(misc.GUID, res5[0]["objectGUID"][0]))
+
+    # domain guid/sid
+    res6 = samdb.search(expression="(objectClass=*)", base=basedn,
+            scope=ldb.SCOPE_BASE, attrs=["objectGUID",
+                "objectSid","msDS-Behavior-Version" ])
+    names.domainguid = str(ndr_unpack(misc.GUID, res6[0]["objectGUID"][0]))
+    names.domainsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
+    if res6[0].get("msDS-Behavior-Version") is None or \
+        int(res6[0]["msDS-Behavior-Version"][0]) < DS_DOMAIN_FUNCTION_2000:
+        names.domainlevel = DS_DOMAIN_FUNCTION_2000
+    else:
+        names.domainlevel = int(res6[0]["msDS-Behavior-Version"][0])
+
+    # policy guid
+    res7 = samdb.search(expression="(displayName=Default Domain Policy)",
+                        base="CN=Policies,CN=System," + basedn,
+                        scope=ldb.SCOPE_ONELEVEL, attrs=["cn","displayName"])
+    names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","")
+    # dc policy guid
+    res8 = samdb.search(expression="(displayName=Default Domain Controllers"
+                                   " Policy)",
+                            base="CN=Policies,CN=System," + basedn,
+                            scope=ldb.SCOPE_ONELEVEL, attrs=["cn","displayName"])
+    if len(res8) == 1:
+        names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","")
+    else:
+        names.policyid_dc = None
+    res9 = idmapdb.search(expression="(cn=%s)" %
+                            (security.SID_BUILTIN_ADMINISTRATORS),
+                            attrs=["xidNumber"])
+    if len(res9) == 1:
+        names.wheel_gid = res9[0]["xidNumber"]
+    else:
+        raise ProvisioningError("Unable to find uid/gid for Domain Admins rid")
+    return names
 
-def update_provision_usn(samdb, low, high, replace=False):
+def update_provision_usn(samdb, low, high, id, replace=False):
     """Update the field provisionUSN in sam.ldb
 
     This field is used to track range of USN modified by provision and
@@ -229,6 +320,7 @@ def update_provision_usn(samdb, low, high, replace=False):
     :param samdb: An LDB object connect to sam.ldb
     :param low: The lowest USN modified by this upgrade
     :param high: The highest USN modified by this upgrade
+    :param id: The invocation id of the samba's dc
     :param replace: A boolean indicating if the range should replace any
                     existing one or appended (default)
     """
@@ -240,17 +332,24 @@ def update_provision_usn(samdb, low, high, replace=False):
                                 scope=ldb.SCOPE_SUBTREE,
                                 attrs=[LAST_PROVISION_USN_ATTRIBUTE, "dn"])
         for e in entry[0][LAST_PROVISION_USN_ATTRIBUTE]:
+            if not re.search(';', e):
+                e = "%s;%s" % (e, id)
             tab.append(str(e))
 
-    tab.append("%s-%s" % (low, high))
+    tab.append("%s-%s;%s" % (low, high, id))
     delta = ldb.Message()
     delta.dn = ldb.Dn(samdb, "@PROVISION")
     delta[LAST_PROVISION_USN_ATTRIBUTE] = ldb.MessageElement(tab,
         ldb.FLAG_MOD_REPLACE, LAST_PROVISION_USN_ATTRIBUTE)
+    entry = samdb.search(expression="(&(dn=@PROVISION)(provisionnerID=*))",
+                            base="", scope=ldb.SCOPE_SUBTREE,
+                            attrs=["provisionnerID"])
+    if len(entry) == 0 or len(entry[0]) == 0:
+        delta["provisionnerID"] = ldb.MessageElement(id, ldb.FLAG_MOD_ADD, "provisionnerID")
     samdb.modify(delta)
 
 
-def set_provision_usn(samdb, low, high):
+def set_provision_usn(samdb, low, high, id):
     """Set the field provisionUSN in sam.ldb
     This field is used to track range of USN modified by provision and
     upgradeprovision.
@@ -259,9 +358,12 @@ def set_provision_usn(samdb, low, high):
 
     :param samdb: An LDB object connect to sam.ldb
     :param low: The lowest USN modified by this upgrade
-    :param high: The highest USN modified by this upgrade"""
+    :param high: The highest USN modified by this upgrade
+    :param id: The invocationId of the provision"""
+
     tab = []
-    tab.append("%s-%s" % (low, high))
+    tab.append("%s-%s;%s" % (low, high, id))
+
     delta = ldb.Message()
     delta.dn = ldb.Dn(samdb, "@PROVISION")
     delta[LAST_PROVISION_USN_ATTRIBUTE] = ldb.MessageElement(tab,
@@ -286,25 +388,36 @@ def get_max_usn(samdb,basedn):
 
 
 def get_last_provision_usn(sam):
-    """Get the lastest USN modified by a provision or an upgradeprovision
+    """Get USNs ranges modified by a provision or an upgradeprovision
 
     :param sam: An LDB object pointing to the sam.ldb
-    :return: an integer corresponding to the highest USN modified by
-        (upgrade)provision, 0 is this value is unknown
+    :return: a dictionnary which keys are invocation id and values are an array
+             of integer representing the different ranges
     """
     entry = sam.search(expression="(&(dn=@PROVISION)(%s=*))" %
                         LAST_PROVISION_USN_ATTRIBUTE,
                         base="", scope=ldb.SCOPE_SUBTREE,
-                        attrs=[LAST_PROVISION_USN_ATTRIBUTE])
+                        attrs=[LAST_PROVISION_USN_ATTRIBUTE, "provisionnerID"])
     if len(entry):
-        range = []
-        idx = 0
+        myids = []
+        range = {}
         p = re.compile(r'-')
+        if entry[0].get("provisionnerID"):
+            for e in entry[0]["provisionnerID"]:
+                myids.append(str(e))
         for r in entry[0][LAST_PROVISION_USN_ATTRIBUTE]:
-            tab = p.split(str(r))
-            range.append(tab[0])
-            range.append(tab[1])
-            idx = idx + 1
+            tab1 = str(r).split(';')
+            if len(tab1) == 2:
+                id = tab1[1]
+            else:
+                id = "default"
+            if (len(myids) > 0 and id not in myids):
+                continue
+            tab2 = p.split(tab1[0])
+            if range.get(id) == None:
+                range[id] = []
+            range[id].append(tab2[0])
+            range[id].append(tab2[1])
         return range
     else:
         return None
@@ -328,7 +441,7 @@ def check_install(lp, session_info, credentials):
     """
     if lp.get("realm") == "":
         raise Exception("Realm empty")
-    samdb = Ldb(lp.get("sam database"), session_info=session_info,
+    samdb = Ldb(lp.samdb_url(), session_info=session_info,
             credentials=credentials, lp=lp)
     if len(samdb.search("(cn=Administrator)")) != 1:
         raise ProvisioningError("No administrator account found")
@@ -413,12 +526,9 @@ def provision_paths_from_lp(lp, dnsdomain):
     paths.keytab = "secrets.keytab"
 
     paths.shareconf = os.path.join(paths.private_dir, "share.ldb")
-    paths.samdb = os.path.join(paths.private_dir,
-        lp.get("sam database") or "samdb.ldb")
-    paths.idmapdb = os.path.join(paths.private_dir,
-        lp.get("idmap database") or "idmap.ldb")
-    paths.secrets = os.path.join(paths.private_dir,
-        lp.get("secrets database") or "secrets.ldb")
+    paths.samdb = os.path.join(paths.private_dir, "sam.ldb")
+    paths.idmapdb = os.path.join(paths.private_dir, "idmap.ldb")
+    paths.secrets = os.path.join(paths.private_dir, "secrets.ldb")
     paths.privilege = os.path.join(paths.private_dir, "privilege.ldb")
     paths.dns = os.path.join(paths.private_dir, "dns", dnsdomain + ".zone")
     paths.dns_update_list = os.path.join(paths.private_dir, "dns_update_list")
@@ -608,11 +718,6 @@ def make_smbconf(smbconf, hostname, domain, realm, serverrole,
         privatedir_line = ""
         lockdir_line = ""
 
-    if sid_generator == "internal":
-        sid_generator_line = ""
-    else:
-        sid_generator_line = "sid generator = " + sid_generator
-
     sysvol = os.path.join(lp.get("lock dir"), "sysvol")
     netlogon = os.path.join(sysvol, realm.lower(), "scripts")
 
@@ -624,7 +729,6 @@ def make_smbconf(smbconf, hostname, domain, realm, serverrole,
             "SERVERROLE": serverrole,
             "NETLOGONPATH": netlogon,
             "SYSVOLPATH": sysvol,
-            "SIDGENERATOR_LINE": sid_generator_line,
             "PRIVATEDIR_LINE": privatedir_line,
             "LOCKDIR_LINE": lockdir_line
             })
@@ -1166,6 +1270,11 @@ def setup_samdb(path, session_info, provision_backend, lp, names,
             "DESCRIPTOR": descr,
             })
 
+        # Now register this container in the root of the forest
+        msg = ldb.Message(ldb.Dn(samdb, names.domaindn))
+        msg["subRefs"] = ldb.MessageElement(names.configdn , ldb.FLAG_MOD_ADD,
+                    "subRefs")
+
         # The LDIF here was created when the Schema object was constructed
         logger.info("Setting up sam.ldb schema")
         samdb.add_ldif(schema.schema_dn_add, controls=["relax:0"])
@@ -1196,7 +1305,6 @@ def setup_samdb(path, session_info, provision_backend, lp, names,
         samdb.invocation_id = invocationid
 
         logger.info("Setting up sam.ldb configuration data")
-        descr = b64encode(get_sites_descriptor(domainsid))
         setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
             "CONFIGDN": names.configdn,
             "NETBIOSNAME": names.netbiosname,
@@ -1208,7 +1316,6 @@ def setup_samdb(path, session_info, provision_backend, lp, names,
             "SERVERDN": names.serverdn,
             "FOREST_FUNCTIONALITY": str(forestFunctionality),
             "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
-            "SITES_DESCRIPTOR": descr
             })
 
         logger.info("Setting up display specifiers")
@@ -1365,6 +1472,25 @@ def setsysvolacl(samdb, netlogon, sysvol, gid, domainsid, dnsdomain, domaindn,
     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp)
 
 
+def interface_ips_v4(lp):
+    '''return only IPv4 IPs'''
+    ips = samba.interface_ips(lp, False)
+    ret = []
+    for i in ips:
+        if i.find(':') == -1:
+            ret.append(i)
+    return ret
+
+def interface_ips_v6(lp, linklocal=False):
+    '''return only IPv6 IPs'''
+    ips = samba.interface_ips(lp, False)
+    ret = []
+    for i in ips:
+        if i.find(':') != -1 and (linklocal or i.find('%') == -1):
+            ret.append(i)
+    return ret
+
+
 def provision(logger, session_info, credentials, smbconf=None,
         targetdir=None, samdb_fill=FILL_FULL, realm=None, rootdn=None,
         domaindn=None, schemadn=None, configdn=None, serverdn=None,
@@ -1465,15 +1591,26 @@ def provision(logger, session_info, credentials, smbconf=None,
 
     if hostip is None:
         logger.info("Looking up IPv4 addresses")
-        hostips = samba.interface_ips(lp, False)
-        if len(hostips) == 0:
-            logger.warning("No external IPv4 address has been found. Using loopback.")
-            hostip = '127.0.0.1'
-        else:
+        hostips = interface_ips_v4(lp)
+        if len(hostips) > 0:
             hostip = hostips[0]
             if len(hostips) > 1:
-                logger.warning("More than one IPv4 address found. Using %s.",
+                logger.warning("More than one IPv4 address found. Using %s",
                     hostip)
+    if hostip == "127.0.0.1":
+        hostip = None
+    if hostip is None:
+        logger.warning("No IPv4 address will be assigned")
+
+    if hostip6 is None:
+        logger.info("Looking up IPv6 addresses")
+        hostips = interface_ips_v6(lp, linklocal=False)
+        if hostips:
+            hostip6 = hostips[0]
+        if len(hostips) > 1:
+            logger.warning("More than one IPv6 address found. Using %s", hostip6)
+    if hostip6 is None:
+        logger.warning("No IPv6 address will be assigned")
 
     if serverrole is None:
         serverrole = lp.get("server role")
@@ -1640,6 +1777,7 @@ def provision(logger, session_info, credentials, smbconf=None,
 
                 create_named_txt(paths.namedtxt,
                     realm=names.realm, dnsdomain=names.dnsdomain,
+                    dnsname = "%s.%s" % (names.hostname, names.dnsdomain),
                     private_dir=paths.private_dir,
                     keytab_name=paths.dns_keytab)
                 logger.info("See %s for an example configuration include file for BIND", paths.namedconf)
@@ -1649,9 +1787,9 @@ def provision(logger, session_info, credentials, smbconf=None,
             lastProvisionUSNs = get_last_provision_usn(samdb)
             maxUSN = get_max_usn(samdb, str(names.rootdn))
             if lastProvisionUSNs is not None:
-                update_provision_usn(samdb, 0, maxUSN, 1)
+                update_provision_usn(samdb, 0, maxUSN, invocationid, 1)
             else:
-                set_provision_usn(samdb, 0, maxUSN)
+                set_provision_usn(samdb, 0, maxUSN, invocationid)
 
         create_krb5_conf(paths.krb5conf,
                          dnsdomain=names.dnsdomain, hostname=names.hostname,
@@ -1740,7 +1878,7 @@ def provision_become_dc(smbconf=None, targetdir=None,
         smbconf=smbconf, targetdir=targetdir, samdb_fill=FILL_DRS,
         realm=realm, rootdn=rootdn, domaindn=domaindn, schemadn=schemadn,
         configdn=configdn, serverdn=serverdn, domain=domain,
-        hostname=hostname, hostip="127.0.0.1", domainsid=domainsid,
+        hostname=hostname, hostip=None, domainsid=domainsid,
         machinepass=machinepass, serverrole="domain controller",
         sitename=sitename)
     res.lp.set("debuglevel", str(debuglevel))
@@ -1876,7 +2014,7 @@ def create_named_conf(paths, realm, dnsdomain,
     setup_file(setup_path("named.conf.update"), paths.namedconf_update)
 
 
-def create_named_txt(path, realm, dnsdomain, private_dir,
+def create_named_txt(path, realm, dnsdomain, dnsname, private_dir,
     keytab_name):
     """Write out a file containing zone statements suitable for inclusion in a
     named.conf file (including GSS-TSIG configuration).
@@ -1889,6 +2027,7 @@ def create_named_txt(path, realm, dnsdomain, private_dir,
     """
     setup_file(setup_path("named.txt"), path, {
             "DNSDOMAIN": dnsdomain,
+            "DNSNAME" : dnsname, 
             "REALM": realm,
             "DNS_KEYTAB": keytab_name,
             "DNS_KEYTAB_ABS": os.path.join(private_dir, keytab_name),
diff --git a/source4/scripting/python/samba/samba3.py b/source4/scripting/python/samba/samba3.py
index 2c323bd0b4..ae5b20edd2 100644
--- a/source4/scripting/python/samba/samba3.py
+++ b/source4/scripting/python/samba/samba3.py
@@ -50,9 +50,12 @@ class TdbDatabase(object):
     def __init__(self, file):
         """Open a file.
 
-        :param file: Path of the file to open.
+        :param file: Path of the file to open (appending "2" if TDB2 enabled).
         """
-        self.tdb = tdb.Tdb(file, flags=os.O_RDONLY)
+        if tdb.__version__.startswith("2"):
+            self.tdb = tdb.Tdb(file + "2", flags=os.O_RDONLY)
+        else:
+            self.tdb = tdb.Tdb(file, flags=os.O_RDONLY)
         self._check_version()
 
     def _check_version(self):
diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py
index 99f141e664..72ee472764 100644
--- a/source4/scripting/python/samba/samdb.py
+++ b/source4/scripting/python/samba/samdb.py
@@ -46,7 +46,7 @@ class SamDB(samba.Ldb):
         if not auto_connect:
             url = None
         elif url is None and lp is not None:
-            url = lp.get("sam database")
+            url = lp.samdb_url()
 
         super(SamDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir,
             session_info=session_info, credentials=credentials, flags=flags,
@@ -79,6 +79,8 @@ class SamDB(samba.Ldb):
         """
         res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
                           expression=search_filter, attrs=["userAccountControl"])
+        if len(res) == 0:
+                raise Exception('Unable to find user "%s"' % search_filter)
         assert(len(res) == 1)
         user_dn = res[0].dn
 
@@ -106,6 +108,8 @@ userAccountControl: %u
         """
         res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
                           expression=search_filter, attrs=[])
+        if len(res) == 0:
+                raise Exception('Unable to find user "%s"' % search_filter)
         assert(len(res) == 1)
         user_dn = res[0].dn
 
@@ -138,7 +142,7 @@ pwdLastSet: 0
             "objectClass": "group"}
 
         if grouptype is not None:
-            ldbmessage["groupType"] = "%d" % grouptype
+            ldbmessage["groupType"] = self.normalise_int32(grouptype)
 
         if description is not None:
             ldbmessage["description"] = description
@@ -409,6 +413,8 @@ unicodePwd:: %s
             res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
                           expression=search_filter,
                           attrs=["userAccountControl", "accountExpires"])
+            if len(res) == 0:
+                raise Exception('Unable to find user "%s"' % search_filter)
             assert(len(res) == 1)
             user_dn = res[0].dn
 
@@ -470,9 +476,14 @@ accountExpires: %u
 
     def get_attid_from_lDAPDisplayName(self, ldap_display_name,
             is_schema_nc=False):
+        '''return the attribute ID for a LDAP attribute as an integer as found in DRSUAPI'''
         return dsdb._dsdb_get_attid_from_lDAPDisplayName(self,
             ldap_display_name, is_schema_nc)
 
+    def get_syntax_oid_from_lDAPDisplayName(self, ldap_display_name):
+        '''return the syntax OID for a LDAP attribute as a string'''
+        return dsdb._dsdb_get_syntax_oid_from_lDAPDisplayName(self, ldap_display_name)
+
     def set_ntds_settings_dn(self, ntds_settings_dn):
         """Set the NTDS Settings DN, as would be returned on the dsServiceName
         rootDSE attribute.
@@ -501,8 +512,13 @@ accountExpires: %u
         dsdb._dsdb_set_schema_from_ldb(self, ldb_conn)
 
     def dsdb_DsReplicaAttribute(self, ldb, ldap_display_name, ldif_elements):
+        '''convert a list of attribute values to a DRSUAPI DsReplicaAttribute'''
         return dsdb._dsdb_DsReplicaAttribute(ldb, ldap_display_name, ldif_elements)
 
+    def dsdb_normalise_attributes(self, ldb, ldap_display_name, ldif_elements):
+        '''normalise a list of attribute values'''
+        return dsdb._dsdb_normalise_attributes(ldb, ldap_display_name, ldif_elements)
+
     def get_attribute_from_attid(self, attid):
         """ Get from an attid the associated attribute
 
@@ -711,3 +727,9 @@ accountExpires: %u
         if sd:
             m["nTSecurityDescriptor"] = ndr_pack(sd)
         self.add(m)
+
+    def normalise_int32(self, ivalue):
+        '''normalise a ldap integer to signed 32 bit'''
+        if int(ivalue) & 0x80000000:
+            return str(int(ivalue) - 0x100000000)
+        return str(ivalue)
diff --git a/source4/scripting/python/samba/tests/samba3sam.py b/source4/scripting/python/samba/tests/samba3sam.py
index a34f0f620c..7353391519 100644
--- a/source4/scripting/python/samba/tests/samba3sam.py
+++ b/source4/scripting/python/samba/tests/samba3sam.py
@@ -30,6 +30,7 @@ from samba.tests import TestCaseInTempDir, env_loadparm
 import samba.dcerpc.security
 import samba.ndr
 from samba.auth import system_session
+from operator import attrgetter
 
 
 def read_datafile(filename):
@@ -64,7 +65,6 @@ class MapBaseTestCase(TestCaseInTempDir):
 
     def setUp(self):
         self.lp = env_loadparm()
-        self.lp.set("sid generator", "backend")
         self.lp.set("workgroup", "TESTS")
         self.lp.set("netbios name", "TESTS")
         super(MapBaseTestCase, self).setUp()
@@ -86,6 +86,7 @@ class MapBaseTestCase(TestCaseInTempDir):
 
             def __init__(self, basedn, dn, lp):
                 self.db = Ldb(lp=lp, session_info=system_session())
+                self.db.set_opaque("skip_allocate_sids", "true");
                 self.basedn = basedn
                 self.basedn_casefold = ldb.Dn(self.db, basedn).get_casefold()
                 self.substvars = {"BASEDN": self.basedn}
@@ -135,12 +136,14 @@ class Samba3SamTestCase(MapBaseTestCase):
     def setUp(self):
         super(Samba3SamTestCase, self).setUp()
         ldb = Ldb(self.ldburl, lp=self.lp, session_info=system_session())
+        ldb.set_opaque("skip_allocate_sids", "true");
         self.samba3.setup_data("samba3.ldif")
         ldif = read_datafile("provision_samba3sam.ldif")
         ldb.add_ldif(self.samba4.subst(ldif))
         self.setup_modules(ldb, self.samba3, self.samba4)
         del ldb
         self.ldb = Ldb(self.ldburl, lp=self.lp, session_info=system_session())
+        self.ldb.set_opaque("skip_allocate_sids", "true");
 
     def test_search_non_mapped(self):
         """Looking up by non-mapped attribute"""
@@ -302,11 +305,13 @@ class MapTestCase(MapBaseTestCase):
     def setUp(self):
         super(MapTestCase, self).setUp()
         ldb = Ldb(self.ldburl, lp=self.lp, session_info=system_session())
+        ldb.set_opaque("skip_allocate_sids", "true");
         ldif = read_datafile("provision_samba3sam.ldif")
         ldb.add_ldif(self.samba4.subst(ldif))
         self.setup_modules(ldb, self.samba3, self.samba4)
         del ldb
         self.ldb = Ldb(self.ldburl, lp=self.lp, session_info=system_session())
+        self.ldb.set_opaque("skip_allocate_sids", "true");
 
     def test_map_search(self):
         """Running search tests on mapped data."""
@@ -439,34 +444,37 @@ objectSid: S-1-5-21-4231626423-2410014848-2360679739-552
         res = self.ldb.search(expression="(revision=x)", scope=SCOPE_DEFAULT, 
                 attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 2)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=Y"))
-        self.assertEquals(str(res[0]["dnsHostName"]), "y")
-        self.assertEquals(str(res[0]["lastLogon"]), "y")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=X"))
-        self.assertEquals(str(res[1]["dnsHostName"]), "x")
-        self.assertEquals(str(res[1]["lastLogon"]), "x")
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=X"))
+        self.assertEquals(str(res[0]["dnsHostName"]), "x")
+        self.assertEquals(str(res[0]["lastLogon"]), "x")
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=Y"))
+        self.assertEquals(str(res[1]["dnsHostName"]), "y")
+        self.assertEquals(str(res[1]["lastLogon"]), "y")
 
         # Search by kept attribute
         res = self.ldb.search(expression="(description=y)", 
                 scope=SCOPE_DEFAULT, attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 2)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=Z"))
-        self.assertEquals(str(res[0]["dnsHostName"]), "z")
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=C"))
+        self.assertTrue(not "dnsHostName" in res[0])
         self.assertEquals(str(res[0]["lastLogon"]), "z")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=C"))
-        self.assertTrue(not "dnsHostName" in res[1])
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=Z"))
+        self.assertEquals(str(res[1]["dnsHostName"]), "z")
         self.assertEquals(str(res[1]["lastLogon"]), "z")
 
         # Search by renamed attribute
         res = self.ldb.search(expression="(badPwdCount=x)", scope=SCOPE_DEFAULT,
                               attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 2)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=B"))
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=A"))
         self.assertTrue(not "dnsHostName" in res[0])
-        self.assertEquals(str(res[0]["lastLogon"]), "y")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=A"))
+        self.assertEquals(str(res[0]["lastLogon"]), "x")
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=B"))
         self.assertTrue(not "dnsHostName" in res[1])
-        self.assertEquals(str(res[1]["lastLogon"]), "x")
+        self.assertEquals(str(res[1]["lastLogon"]), "y")
 
         # Search by converted attribute
         # TODO:
@@ -475,18 +483,19 @@ objectSid: S-1-5-21-4231626423-2410014848-2360679739-552
         #res = self.ldb.search("(objectSid=S-1-5-21-4231626423-2410014848-2360679739-552)", scope=SCOPE_DEFAULT, attrs)
         res = self.ldb.search(expression="(objectSid=*)", base=None, scope=SCOPE_DEFAULT, attrs=["dnsHostName", "lastLogon", "objectSid"])
         self.assertEquals(len(res), 4)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=X"))
-        self.assertEquals(str(res[0]["dnsHostName"]), "x")
-        self.assertEquals(str(res[0]["lastLogon"]), "x")
-        self.assertSidEquals("S-1-5-21-4231626423-2410014848-2360679739-552", 
-                             res[0]["objectSid"])
-        self.assertTrue("objectSid" in res[0])
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=A"))
-        self.assertTrue(not "dnsHostName" in res[1])
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=X"))
+        self.assertEquals(str(res[1]["dnsHostName"]), "x")
         self.assertEquals(str(res[1]["lastLogon"]), "x")
         self.assertSidEquals("S-1-5-21-4231626423-2410014848-2360679739-552",
                              res[1]["objectSid"])
         self.assertTrue("objectSid" in res[1])
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=A"))
+        self.assertTrue(not "dnsHostName" in res[0])
+        self.assertEquals(str(res[0]["lastLogon"]), "x")
+        self.assertSidEquals("S-1-5-21-4231626423-2410014848-2360679739-552",
+                             res[0]["objectSid"])
+        self.assertTrue("objectSid" in res[0])
 
         # Search by generated attribute 
         # In most cases, this even works when the mapping is missing
@@ -519,12 +528,13 @@ objectSid: S-1-5-21-4231626423-2410014848-2360679739-552
         attrs = ["dnsHostName", "lastLogon", "objectClass"]
         res = self.ldb.search(expression="(objectClass=user)", attrs=attrs)
         self.assertEquals(len(res), 2)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=X"))
-        self.assertEquals(str(res[0]["dnsHostName"]), "x")
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=A"))
+        self.assertTrue(not "dnsHostName" in res[0])
         self.assertEquals(str(res[0]["lastLogon"]), "x")
         self.assertEquals(str(res[0]["objectClass"][0]), "user")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=A"))
-        self.assertTrue(not "dnsHostName" in res[1])
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=X"))
+        self.assertEquals(str(res[1]["dnsHostName"]), "x")
         self.assertEquals(str(res[1]["lastLogon"]), "x")
         self.assertEquals(str(res[1]["objectClass"][0]), "user")
 
@@ -532,18 +542,19 @@ objectSid: S-1-5-21-4231626423-2410014848-2360679739-552
         res = self.ldb.search(expression="(|(objectClass=user)(badPwdCount=x))",
                               attrs=attrs)
         self.assertEquals(len(res), 3)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=B"))
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=A"))
         self.assertTrue(not "dnsHostName" in res[0])
-        self.assertEquals(str(res[0]["lastLogon"]), "y")
-        self.assertEquals(set(res[0]["objectClass"]), set(["top"]))
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=X"))
-        self.assertEquals(str(res[1]["dnsHostName"]), "x")
-        self.assertEquals(str(res[1]["lastLogon"]), "x")
-        self.assertEquals(str(res[1]["objectClass"][0]), "user")
-        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=A"))
-        self.assertTrue(not "dnsHostName" in res[2])
+        self.assertEquals(str(res[0]["lastLogon"]), "x")
+        self.assertEquals(res[0]["objectClass"][0], "user")
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=B"))
+        self.assertTrue(not "dnsHostName" in res[1])
+        self.assertEquals(str(res[1]["lastLogon"]), "y")
+        self.assertEquals(set(res[1]["objectClass"]), set(["top"]))
+        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=X"))
+        self.assertEquals(str(res[2]["dnsHostName"]), "x")
         self.assertEquals(str(res[2]["lastLogon"]), "x")
-        self.assertEquals(res[2]["objectClass"][0], "user")
+        self.assertEquals(str(res[2]["objectClass"][0]), "user")
 
         # Testing search by parse tree
 
@@ -551,34 +562,37 @@ objectSid: S-1-5-21-4231626423-2410014848-2360679739-552
         res = self.ldb.search(expression="(&(codePage=x)(revision=x))", 
                               attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 2)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=Y"))
-        self.assertEquals(str(res[0]["dnsHostName"]), "y")
-        self.assertEquals(str(res[0]["lastLogon"]), "y")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=X"))
-        self.assertEquals(str(res[1]["dnsHostName"]), "x")
-        self.assertEquals(str(res[1]["lastLogon"]), "x")
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=X"))
+        self.assertEquals(str(res[0]["dnsHostName"]), "x")
+        self.assertEquals(str(res[0]["lastLogon"]), "x")
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=Y"))
+        self.assertEquals(str(res[1]["dnsHostName"]), "y")
+        self.assertEquals(str(res[1]["lastLogon"]), "y")
 
         # Search by conjunction of remote attributes
         res = self.ldb.search(expression="(&(lastLogon=x)(description=x))", 
                               attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 2)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=X"))
-        self.assertEquals(str(res[0]["dnsHostName"]), "x")
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=A"))
+        self.assertTrue(not "dnsHostName" in res[0])
         self.assertEquals(str(res[0]["lastLogon"]), "x")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=A"))
-        self.assertTrue(not "dnsHostName" in res[1])
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=X"))
+        self.assertEquals(str(res[1]["dnsHostName"]), "x")
         self.assertEquals(str(res[1]["lastLogon"]), "x")
         
         # Search by conjunction of local and remote attribute 
         res = self.ldb.search(expression="(&(codePage=x)(description=x))", 
                               attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 2)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=Y"))
-        self.assertEquals(str(res[0]["dnsHostName"]), "y")
-        self.assertEquals(str(res[0]["lastLogon"]), "y")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=X"))
-        self.assertEquals(str(res[1]["dnsHostName"]), "x")
-        self.assertEquals(str(res[1]["lastLogon"]), "x")
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=X"))
+        self.assertEquals(str(res[0]["dnsHostName"]), "x")
+        self.assertEquals(str(res[0]["lastLogon"]), "x")
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=Y"))
+        self.assertEquals(str(res[1]["dnsHostName"]), "y")
+        self.assertEquals(str(res[1]["lastLogon"]), "y")
 
         # Search by conjunction of local and remote attribute w/o match
         attrs = ["dnsHostName", "lastLogon"]
@@ -593,40 +607,43 @@ objectSid: S-1-5-21-4231626423-2410014848-2360679739-552
         res = self.ldb.search(expression="(|(revision=x)(dnsHostName=x))", 
                               attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 2)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=Y"))
-        self.assertEquals(str(res[0]["dnsHostName"]), "y")
-        self.assertEquals(str(res[0]["lastLogon"]), "y")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=X"))
-        self.assertEquals(str(res[1]["dnsHostName"]), "x")
-        self.assertEquals(str(res[1]["lastLogon"]), "x")
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=X"))
+        self.assertEquals(str(res[0]["dnsHostName"]), "x")
+        self.assertEquals(str(res[0]["lastLogon"]), "x")
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=Y"))
+        self.assertEquals(str(res[1]["dnsHostName"]), "y")
+        self.assertEquals(str(res[1]["lastLogon"]), "y")
 
         # Search by disjunction of remote attributes
         res = self.ldb.search(expression="(|(badPwdCount=x)(lastLogon=x))", 
                               attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 3)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=B"))
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=A"))
         self.assertFalse("dnsHostName" in res[0])
-        self.assertEquals(str(res[0]["lastLogon"]), "y")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=X"))
-        self.assertEquals(str(res[1]["dnsHostName"]), "x")
-        self.assertEquals(str(res[1]["lastLogon"]), "x")
-        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=A"))
-        self.assertFalse("dnsHostName" in res[2])
+        self.assertEquals(str(res[0]["lastLogon"]), "x")
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=B"))
+        self.assertFalse("dnsHostName" in res[1])
+        self.assertEquals(str(res[1]["lastLogon"]), "y")
+        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=X"))
+        self.assertEquals(str(res[2]["dnsHostName"]), "x")
         self.assertEquals(str(res[2]["lastLogon"]), "x")
 
         # Search by disjunction of local and remote attribute
         res = self.ldb.search(expression="(|(revision=x)(lastLogon=y))", 
                               attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 3)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=Y"))
-        self.assertEquals(str(res[0]["dnsHostName"]), "y")
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=B"))
+        self.assertFalse("dnsHostName" in res[0])
         self.assertEquals(str(res[0]["lastLogon"]), "y")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=B"))
-        self.assertFalse("dnsHostName" in res[1])
-        self.assertEquals(str(res[1]["lastLogon"]), "y")
-        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=X"))
-        self.assertEquals(str(res[2]["dnsHostName"]), "x")
-        self.assertEquals(str(res[2]["lastLogon"]), "x")
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=X"))
+        self.assertEquals(str(res[1]["dnsHostName"]), "x")
+        self.assertEquals(str(res[1]["lastLogon"]), "x")
+        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=Y"))
+        self.assertEquals(str(res[2]["dnsHostName"]), "y")
+        self.assertEquals(str(res[2]["lastLogon"]), "y")
 
         # Search by disjunction of local and remote attribute w/o match
         res = self.ldb.search(expression="(|(codePage=y)(nextRid=z))", 
@@ -637,142 +654,151 @@ objectSid: S-1-5-21-4231626423-2410014848-2360679739-552
         res = self.ldb.search(expression="(!(revision=x))", 
                               attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 6)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=B"))
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=A"))
         self.assertTrue(not "dnsHostName" in res[0])
-        self.assertEquals(str(res[0]["lastLogon"]), "y")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=A"))
+        self.assertEquals(str(res[0]["lastLogon"]), "x")
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=B"))
         self.assertTrue(not "dnsHostName" in res[1])
-        self.assertEquals(str(res[1]["lastLogon"]), "x")
-        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=Z"))
-        self.assertEquals(str(res[2]["dnsHostName"]), "z")
+        self.assertEquals(str(res[1]["lastLogon"]), "y")
+        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=C"))
+        self.assertTrue(not "dnsHostName" in res[2])
         self.assertEquals(str(res[2]["lastLogon"]), "z")
-        self.assertEquals(str(res[3].dn), self.samba4.dn("cn=C"))
-        self.assertTrue(not "dnsHostName" in res[3])
+        self.assertEquals(str(res[3].dn), self.samba4.dn("cn=Z"))
+        self.assertEquals(str(res[3]["dnsHostName"]), "z")
         self.assertEquals(str(res[3]["lastLogon"]), "z")
 
         # Search by negated remote attribute
         res = self.ldb.search(expression="(!(description=x))", 
                               attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 4)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=Z"))
-        self.assertEquals(str(res[0]["dnsHostName"]), "z")
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=C"))
+        self.assertTrue(not "dnsHostName" in res[0])
         self.assertEquals(str(res[0]["lastLogon"]), "z")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=C"))
-        self.assertTrue(not "dnsHostName" in res[1])
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=Z"))
+        self.assertEquals(str(res[1]["dnsHostName"]), "z")
         self.assertEquals(str(res[1]["lastLogon"]), "z")
 
         # Search by negated conjunction of local attributes
         res = self.ldb.search(expression="(!(&(codePage=x)(revision=x)))", 
                               attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 6)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=B"))
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=A"))
         self.assertTrue(not "dnsHostName" in res[0])
-        self.assertEquals(str(res[0]["lastLogon"]), "y")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=A"))
+        self.assertEquals(str(res[0]["lastLogon"]), "x")
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=B"))
         self.assertTrue(not "dnsHostName" in res[1])
-        self.assertEquals(str(res[1]["lastLogon"]), "x")
-        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=Z"))
-        self.assertEquals(str(res[2]["dnsHostName"]), "z")
+        self.assertEquals(str(res[1]["lastLogon"]), "y")
+        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=C"))
+        self.assertTrue(not "dnsHostName" in res[2])
         self.assertEquals(str(res[2]["lastLogon"]), "z")
-        self.assertEquals(str(res[3].dn), self.samba4.dn("cn=C"))
-        self.assertTrue(not "dnsHostName" in res[3])
+        self.assertEquals(str(res[3].dn), self.samba4.dn("cn=Z"))
+        self.assertEquals(str(res[3]["dnsHostName"]), "z")
         self.assertEquals(str(res[3]["lastLogon"]), "z")
 
         # Search by negated conjunction of remote attributes
         res = self.ldb.search(expression="(!(&(lastLogon=x)(description=x)))", 
                               attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 6)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=Y"))
-        self.assertEquals(str(res[0]["dnsHostName"]), "y")
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=B"))
+        self.assertTrue(not "dnsHostName" in res[0])
         self.assertEquals(str(res[0]["lastLogon"]), "y")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=B"))
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=C"))
         self.assertTrue(not "dnsHostName" in res[1])
-        self.assertEquals(str(res[1]["lastLogon"]), "y")
-        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=Z"))
-        self.assertEquals(str(res[2]["dnsHostName"]), "z")
-        self.assertEquals(str(res[2]["lastLogon"]), "z")
-        self.assertEquals(str(res[3].dn), self.samba4.dn("cn=C"))
-        self.assertTrue(not "dnsHostName" in res[3])
+        self.assertEquals(str(res[1]["lastLogon"]), "z")
+        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=Y"))
+        self.assertEquals(str(res[2]["dnsHostName"]), "y")
+        self.assertEquals(str(res[2]["lastLogon"]), "y")
+        self.assertEquals(str(res[3].dn), self.samba4.dn("cn=Z"))
+        self.assertEquals(str(res[3]["dnsHostName"]), "z")
         self.assertEquals(str(res[3]["lastLogon"]), "z")
 
         # Search by negated conjunction of local and remote attribute
         res = self.ldb.search(expression="(!(&(codePage=x)(description=x)))", 
                               attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 6)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=B"))
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=A"))
         self.assertTrue(not "dnsHostName" in res[0])
-        self.assertEquals(str(res[0]["lastLogon"]), "y")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=A"))
+        self.assertEquals(str(res[0]["lastLogon"]), "x")
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=B"))
         self.assertTrue(not "dnsHostName" in res[1])
-        self.assertEquals(str(res[1]["lastLogon"]), "x")
-        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=Z"))
-        self.assertEquals(str(res[2]["dnsHostName"]), "z")
+        self.assertEquals(str(res[1]["lastLogon"]), "y")
+        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=C"))
+        self.assertTrue(not "dnsHostName" in res[2])
         self.assertEquals(str(res[2]["lastLogon"]), "z")
-        self.assertEquals(str(res[3].dn), self.samba4.dn("cn=C"))
-        self.assertTrue(not "dnsHostName" in res[3])
+        self.assertEquals(str(res[3].dn), self.samba4.dn("cn=Z"))
+        self.assertEquals(str(res[3]["dnsHostName"]), "z")
         self.assertEquals(str(res[3]["lastLogon"]), "z")
 
         # Search by negated disjunction of local attributes
         res = self.ldb.search(expression="(!(|(revision=x)(dnsHostName=x)))", 
                               attrs=["dnsHostName", "lastLogon"])
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=B"))
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=A"))
         self.assertTrue(not "dnsHostName" in res[0])
-        self.assertEquals(str(res[0]["lastLogon"]), "y")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=A"))
+        self.assertEquals(str(res[0]["lastLogon"]), "x")
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=B"))
         self.assertTrue(not "dnsHostName" in res[1])
-        self.assertEquals(str(res[1]["lastLogon"]), "x")
-        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=Z"))
-        self.assertEquals(str(res[2]["dnsHostName"]), "z")
+        self.assertEquals(str(res[1]["lastLogon"]), "y")
+        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=C"))
+        self.assertTrue(not "dnsHostName" in res[2])
         self.assertEquals(str(res[2]["lastLogon"]), "z")
-        self.assertEquals(str(res[3].dn), self.samba4.dn("cn=C"))
-        self.assertTrue(not "dnsHostName" in res[3])
+        self.assertEquals(str(res[3].dn), self.samba4.dn("cn=Z"))
+        self.assertEquals(str(res[3]["dnsHostName"]), "z")
         self.assertEquals(str(res[3]["lastLogon"]), "z")
 
         # Search by negated disjunction of remote attributes
         res = self.ldb.search(expression="(!(|(badPwdCount=x)(lastLogon=x)))", 
                               attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 5)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=Y"))
-        self.assertEquals(str(res[0]["dnsHostName"]), "y")
-        self.assertEquals(str(res[0]["lastLogon"]), "y")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=Z"))
-        self.assertEquals(str(res[1]["dnsHostName"]), "z")
-        self.assertEquals(str(res[1]["lastLogon"]), "z")
-        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=C"))
-        self.assertTrue(not "dnsHostName" in res[2])
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=C"))
+        self.assertTrue(not "dnsHostName" in res[0])
+        self.assertEquals(str(res[0]["lastLogon"]), "z")
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=Y"))
+        self.assertEquals(str(res[1]["dnsHostName"]), "y")
+        self.assertEquals(str(res[1]["lastLogon"]), "y")
+        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=Z"))
+        self.assertEquals(str(res[2]["dnsHostName"]), "z")
         self.assertEquals(str(res[2]["lastLogon"]), "z")
 
         # Search by negated disjunction of local and remote attribute
         res = self.ldb.search(expression="(!(|(revision=x)(lastLogon=y)))", 
                               attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 5)
+        res = sorted(res, key=attrgetter('dn'))
         self.assertEquals(str(res[0].dn), self.samba4.dn("cn=A"))
         self.assertTrue(not "dnsHostName" in res[0])
         self.assertEquals(str(res[0]["lastLogon"]), "x")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=Z"))
-        self.assertEquals(str(res[1]["dnsHostName"]), "z")
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=C"))
+        self.assertTrue(not "dnsHostName" in res[1])
         self.assertEquals(str(res[1]["lastLogon"]), "z")
-        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=C"))
-        self.assertTrue(not "dnsHostName" in res[2])
+        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=Z"))
+        self.assertEquals(str(res[2]["dnsHostName"]), "z")
         self.assertEquals(str(res[2]["lastLogon"]), "z")
 
         # Search by complex parse tree
         res = self.ldb.search(expression="(|(&(revision=x)(dnsHostName=x))(!(&(description=x)(nextRid=y)))(badPwdCount=y))", attrs=["dnsHostName", "lastLogon"])
         self.assertEquals(len(res), 7)
-        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=B"))
+        res = sorted(res, key=attrgetter('dn'))
+        self.assertEquals(str(res[0].dn), self.samba4.dn("cn=A"))
         self.assertTrue(not "dnsHostName" in res[0])
-        self.assertEquals(str(res[0]["lastLogon"]), "y")
-        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=X"))
-        self.assertEquals(str(res[1]["dnsHostName"]), "x")
-        self.assertEquals(str(res[1]["lastLogon"]), "x")
-        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=A"))
+        self.assertEquals(str(res[0]["lastLogon"]), "x")
+        self.assertEquals(str(res[1].dn), self.samba4.dn("cn=B"))
+        self.assertTrue(not "dnsHostName" in res[1])
+        self.assertEquals(str(res[1]["lastLogon"]), "y")
+        self.assertEquals(str(res[2].dn), self.samba4.dn("cn=C"))
         self.assertTrue(not "dnsHostName" in res[2])
-        self.assertEquals(str(res[2]["lastLogon"]), "x")
-        self.assertEquals(str(res[3].dn), self.samba4.dn("cn=Z"))
-        self.assertEquals(str(res[3]["dnsHostName"]), "z")
-        self.assertEquals(str(res[3]["lastLogon"]), "z")
-        self.assertEquals(str(res[4].dn), self.samba4.dn("cn=C"))
-        self.assertTrue(not "dnsHostName" in res[4])
+        self.assertEquals(str(res[2]["lastLogon"]), "z")
+        self.assertEquals(str(res[3].dn), self.samba4.dn("cn=X"))
+        self.assertEquals(str(res[3]["dnsHostName"]), "x")
+        self.assertEquals(str(res[3]["lastLogon"]), "x")
+        self.assertEquals(str(res[4].dn), self.samba4.dn("cn=Z"))
+        self.assertEquals(str(res[4]["dnsHostName"]), "z")
         self.assertEquals(str(res[4]["lastLogon"]), "z")
 
         # Clean up
diff --git a/source4/scripting/python/samba/tests/strings.py b/source4/scripting/python/samba/tests/strings.py
new file mode 100644
index 0000000000..5f3e5c5bb7
--- /dev/null
+++ b/source4/scripting/python/samba/tests/strings.py
@@ -0,0 +1,104 @@
+#!/usr/bin/env python
+
+# subunit test cases for Samba string functions.
+
+# Copyright (C) 2003 by Martin Pool <mbp@samba.org>
+# Copyright (C) 2011 Andrew Bartlett
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+# XXX: All this code assumes that the Unix character set is UTF-8,
+# which is the most common setting.  I guess it would be better to
+# force it to that value while running the tests.  I'm not sure of the
+# best way to do that yet.
+#
+# -- mbp
+
+import sys, re
+from unicodenames import *
+
+import samba.tests
+from samba import strcasecmp_m, strstr_m
+
+def signum(a):
+    if a < 0:
+        return -1
+    elif a > 0:
+        return +1
+    else:
+        return 0
+
+
+class strcasecmp_m_Tests(samba.tests.TestCase):
+    """String comparisons in simple ASCII and unicode"""
+    def test_strcasecmp_m(self):
+        # A, B, strcasecmp(A, B)
+        cases = [('hello', 'hello', 0),
+                 ('hello', 'goodbye', +1),
+                 ('goodbye', 'hello', -1),
+                 ('hell', 'hello', -1),
+                 ('', '', 0),
+                 ('a', '', +1),
+                 ('', 'a', -1),
+                 ('a', 'A', 0),
+                 ('aa', 'aA', 0),
+                 ('Aa', 'aa', 0),
+                 ('longstring ' * 100, 'longstring ' * 100, 0),
+                 ('longstring ' * 100, 'longstring ' * 100 + 'a', -1),
+                 ('longstring ' * 100 + 'a', 'longstring ' * 100, +1),
+                 (KATAKANA_LETTER_A, KATAKANA_LETTER_A, 0),
+                 (KATAKANA_LETTER_A, 'a', 1),
+                 ]
+        for a, b, expect in cases:
+            self.assertEquals(signum(strcasecmp_m(a.encode('utf-8'),
+                                                  b.encode('utf-8'))),
+                              expect)
+
+class strstr_m_Tests(samba.tests.TestCase):
+    """strstr_m tests in simple ASCII and unicode strings"""
+    def test_strstr_m(self):
+        # A, B, strstr_m(A, B)
+        cases = [('hello', 'hello', 'hello'),
+                 ('hello', 'goodbye', None),
+                 ('goodbye', 'hello', None),
+                 ('hell', 'hello', None),
+                 ('hello', 'hell', 'hello'),
+                 ('', '', ''),
+                 ('a', '', 'a'),
+                 ('', 'a', None),
+                 ('a', 'A', None),
+                 ('aa', 'aA', None),
+                 ('Aa', 'aa', None),
+                 ('%v foo', '%v', '%v foo'),
+                 ('foo %v foo', '%v', '%v foo'),
+                 ('foo %v', '%v', '%v'),
+                 ('longstring ' * 100, 'longstring ' * 99, 'longstring ' * 100),
+                 ('longstring ' * 99, 'longstring ' * 100, None),
+                 ('longstring a' * 99, 'longstring ' * 100 + 'a', None),
+                 ('longstring ' * 100 + 'a', 'longstring ' * 100, 'longstring ' * 100 + 'a'),
+                 (KATAKANA_LETTER_A, KATAKANA_LETTER_A + 'bcd', None),
+                 (KATAKANA_LETTER_A + 'bcde', KATAKANA_LETTER_A + 'bcd', KATAKANA_LETTER_A + 'bcde'),
+                 ('d'+KATAKANA_LETTER_A + 'bcd', KATAKANA_LETTER_A + 'bcd', KATAKANA_LETTER_A + 'bcd'),
+                 ('d'+KATAKANA_LETTER_A + 'bd', KATAKANA_LETTER_A + 'bcd', None),
+
+                 ('e'+KATAKANA_LETTER_A + 'bcdf', KATAKANA_LETTER_A + 'bcd', KATAKANA_LETTER_A + 'bcdf'),
+                 (KATAKANA_LETTER_A, KATAKANA_LETTER_A + 'bcd', None),
+                 (KATAKANA_LETTER_A*3, 'a', None),
+                 ]
+        for a, b, expect in cases:
+            if expect is not None:
+                expect = expect.encode('utf-8')
+            self.assertEquals(strstr_m(a.encode('utf-8'),
+                                       b.encode('utf-8')),
+                              expect)
diff --git a/source4/scripting/python/samba/tests/unicodenames.py b/source4/scripting/python/samba/tests/unicodenames.py
new file mode 100644
index 0000000000..fa5d0efc8c
--- /dev/null
+++ b/source4/scripting/python/samba/tests/unicodenames.py
@@ -0,0 +1,31 @@
+#! /usr/bin/python
+
+# Copyright (C) 2003 by Martin Pool <mbp@samba.org>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+
+"""
+Defines symbolic names for a few UNICODE characters, to make test
+source code more readable on machines that don't have all the
+necessary fonts.
+
+You can do "import *" on this file safely.
+"""
+
+LATIN_CAPITAL_LETTER_N_WITH_TILDE         = u'\u004e'
+LATIN_CAPITAL_LETTER_O_WITH_DIARESIS      = u'\u00d6'
+LATIN_SMALL_LETTER_O_WITH_DIARESIS        = u'\u00f6'
+
+KATAKANA_LETTER_A                         = u'\u30a2'
diff --git a/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py b/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py
index 3a9c78e0dc..596cff6d3a 100644
--- a/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py
+++ b/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py
@@ -26,9 +26,9 @@ import shutil
 from samba import param
 from samba.credentials import Credentials
 from samba.auth import system_session
-from samba.provision import getpolicypath
+from samba.provision import getpolicypath,find_provision_key_parameters
 from samba.upgradehelpers import (get_paths, get_ldbs,
-                                 find_provision_key_parameters, identic_rename,
+                                 identic_rename,
                                  updateOEMInfo, getOEMInfo, update_gpo,
                                  delta_update_basesamdb,
                                  update_dns_account_password,
diff --git a/source4/scripting/python/samba/upgradehelpers.py b/source4/scripting/python/samba/upgradehelpers.py
index 48f492a7dc..e15523033f 100755
--- a/source4/scripting/python/samba/upgradehelpers.py
+++ b/source4/scripting/python/samba/upgradehelpers.py
@@ -24,22 +24,19 @@
 """Helpers used for upgrading between different database formats."""
 
 import os
-import string
 import re
 import shutil
 import samba
 
 from samba import Ldb, version, ntacls
-from samba.dsdb import DS_DOMAIN_FUNCTION_2000
 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE
 import ldb
-from samba.provision import (ProvisionNames, provision_paths_from_lp,
+from samba.provision import (provision_paths_from_lp,
                             getpolicypath, set_gpos_acl, create_gpo_struct,
                             FILL_FULL, provision, ProvisioningError,
                             setsysvolacl, secretsdb_self_join)
-from samba.dcerpc import misc, security, xattr
+from samba.dcerpc import xattr
 from samba.dcerpc.misc import SEC_CHAN_BDC
-from samba.ndr import ndr_unpack
 from samba.samdb import SamDB
 
 # All the ldb related to registry are commented because the path for them is
@@ -242,112 +239,6 @@ def update_policyids(names, samdb):
         names.policyid_dc = None
 
 
-def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, lp):
-    """Get key provision parameters (realm, domain, ...) from a given provision
-
-    :param samdb: An LDB object connected to the sam.ldb file
-    :param secretsdb: An LDB object connected to the secrets.ldb file
-    :param idmapdb: An LDB object connected to the idmap.ldb file
-    :param paths: A list of path to provision object
-    :param smbconf: Path to the smb.conf file
-    :param lp: A LoadParm object
-    :return: A list of key provision parameters
-    """
-    names = ProvisionNames()
-    names.adminpass = None
-
-    # NT domain, kerberos realm, root dn, domain dn, domain dns name
-    names.domain = string.upper(lp.get("workgroup"))
-    names.realm = lp.get("realm")
-    basedn = "DC=" + names.realm.replace(".",",DC=")
-    names.dnsdomain = names.realm.lower()
-    names.realm = string.upper(names.realm)
-    # netbiosname
-    # Get the netbiosname first (could be obtained from smb.conf in theory)
-    res = secretsdb.search(expression="(flatname=%s)" %
-                            names.domain,base="CN=Primary Domains",
-                            scope=SCOPE_SUBTREE, attrs=["sAMAccountName"])
-    names.netbiosname = str(res[0]["sAMAccountName"]).replace("$","")
-
-    names.smbconf = smbconf
-
-    # That's a bit simplistic but it's ok as long as we have only 3
-    # partitions
-    current = samdb.search(expression="(objectClass=*)", 
-        base="", scope=SCOPE_BASE,
-        attrs=["defaultNamingContext", "schemaNamingContext",
-               "configurationNamingContext","rootDomainNamingContext"])
-
-    names.configdn = current[0]["configurationNamingContext"]
-    configdn = str(names.configdn)
-    names.schemadn = current[0]["schemaNamingContext"]
-    if not (ldb.Dn(samdb, basedn) == (ldb.Dn(samdb,
-                                       current[0]["defaultNamingContext"][0]))):
-        raise ProvisioningError(("basedn in %s (%s) and from %s (%s)"
-                                 "is not the same ..." % (paths.samdb,
-                                    str(current[0]["defaultNamingContext"][0]),
-                                    paths.smbconf, basedn)))
-
-    names.domaindn=current[0]["defaultNamingContext"]
-    names.rootdn=current[0]["rootDomainNamingContext"]
-    # default site name
-    res3 = samdb.search(expression="(objectClass=*)", 
-        base="CN=Sites," + configdn, scope=SCOPE_ONELEVEL, attrs=["cn"])
-    names.sitename = str(res3[0]["cn"])
-
-    # dns hostname and server dn
-    res4 = samdb.search(expression="(CN=%s)" % names.netbiosname,
-                            base="OU=Domain Controllers,%s" % basedn,
-                            scope=SCOPE_ONELEVEL, attrs=["dNSHostName"])
-    names.hostname = str(res4[0]["dNSHostName"]).replace("." + names.dnsdomain,"")
-
-    server_res = samdb.search(expression="serverReference=%s" % res4[0].dn,
-                                attrs=[], base=configdn)
-    names.serverdn = server_res[0].dn
-
-    # invocation id/objectguid
-    res5 = samdb.search(expression="(objectClass=*)",
-            base="CN=NTDS Settings,%s" % str(names.serverdn), scope=SCOPE_BASE,
-            attrs=["invocationID", "objectGUID"])
-    names.invocation = str(ndr_unpack(misc.GUID, res5[0]["invocationId"][0]))
-    names.ntdsguid = str(ndr_unpack(misc.GUID, res5[0]["objectGUID"][0]))
-
-    # domain guid/sid
-    res6 = samdb.search(expression="(objectClass=*)", base=basedn,
-            scope=SCOPE_BASE, attrs=["objectGUID",
-                "objectSid","msDS-Behavior-Version" ])
-    names.domainguid = str(ndr_unpack(misc.GUID, res6[0]["objectGUID"][0]))
-    names.domainsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
-    if res6[0].get("msDS-Behavior-Version") is None or \
-        int(res6[0]["msDS-Behavior-Version"][0]) < DS_DOMAIN_FUNCTION_2000:
-        names.domainlevel = DS_DOMAIN_FUNCTION_2000
-    else:
-        names.domainlevel = int(res6[0]["msDS-Behavior-Version"][0])
-
-    # policy guid
-    res7 = samdb.search(expression="(displayName=Default Domain Policy)",
-                        base="CN=Policies,CN=System," + basedn,
-                        scope=SCOPE_ONELEVEL, attrs=["cn","displayName"])
-    names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","")
-    # dc policy guid
-    res8 = samdb.search(expression="(displayName=Default Domain Controllers"
-                                   " Policy)",
-                            base="CN=Policies,CN=System," + basedn,
-                            scope=SCOPE_ONELEVEL, attrs=["cn","displayName"])
-    if len(res8) == 1:
-        names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","")
-    else:
-        names.policyid_dc = None
-    res9 = idmapdb.search(expression="(cn=%s)" %
-                            (security.SID_BUILTIN_ADMINISTRATORS),
-                            attrs=["xidNumber"])
-    if len(res9) == 1:
-        names.wheel_gid = res9[0]["xidNumber"]
-    else:
-        raise ProvisioningError("Unable to find uid/gid for Domain Admins rid")
-    return names
-
-
 def newprovision(names, creds, session, smbconf, provdir, logger):
     """Create a new provision.
 
@@ -469,7 +360,7 @@ def chunck_sddl(sddl):
     return hash
 
 
-def get_diff_sddls(refsddl, cursddl):
+def get_diff_sddls(refsddl, cursddl, checkSacl = True):
     """Get the difference between 2 sddl
 
     This function split the textual representation of ACL into smaller
@@ -477,46 +368,54 @@ def get_diff_sddls(refsddl, cursddl):
 
     :param refsddl: First sddl to compare
     :param cursddl: Second sddl to compare
+    :param checkSacl: If false we skip the sacl checks
     :return: A string that explain difference between sddls
     """
 
     txt = ""
-    hash_new = chunck_sddl(cursddl)
+    hash_cur = chunck_sddl(cursddl)
     hash_ref = chunck_sddl(refsddl)
 
-    if hash_new["owner"] != hash_ref["owner"]:
+    if not hash_cur.has_key("owner"):
+        txt = "\tNo owner in current SD"
+    elif hash_cur["owner"] != hash_ref["owner"]:
         txt = "\tOwner mismatch: %s (in ref) %s" \
-              "(in current)\n" % (hash_ref["owner"], hash_new["owner"])
+              "(in current)\n" % (hash_ref["owner"], hash_cur["owner"])
 
-    if hash_new["group"] != hash_ref["group"]:
+    if not hash_cur.has_key("group"):
+        txt = "%s\tNo group in current SD" % txt
+    elif hash_cur["group"] != hash_ref["group"]:
         txt = "%s\tGroup mismatch: %s (in ref) %s" \
-              "(in current)\n" % (txt, hash_ref["group"], hash_new["group"])
+              "(in current)\n" % (txt, hash_ref["group"], hash_cur["group"])
 
-    for part in ["dacl", "sacl"]:
-        if hash_new.has_key(part) and hash_ref.has_key(part):
+    parts = [ "dacl" ]
+    if checkSacl:
+        parts.append("sacl")
+    for part in parts:
+        if hash_cur.has_key(part) and hash_ref.has_key(part):
 
             # both are present, check if they contain the same ACE
-            h_new = set()
+            h_cur = set()
             h_ref = set()
-            c_new = chunck_acl(hash_new[part])
+            c_cur = chunck_acl(hash_cur[part])
             c_ref = chunck_acl(hash_ref[part])
 
-            for elem in c_new["aces"]:
-                h_new.add(elem)
+            for elem in c_cur["aces"]:
+                h_cur.add(elem)
 
             for elem in c_ref["aces"]:
                 h_ref.add(elem)
 
             for k in set(h_ref):
-                if k in h_new:
-                    h_new.remove(k)
+                if k in h_cur:
+                    h_cur.remove(k)
                     h_ref.remove(k)
 
-            if len(h_new) + len(h_ref) > 0:
+            if len(h_cur) + len(h_ref) > 0:
                 txt = "%s\tPart %s is different between reference" \
                       " and current here is the detail:\n" % (txt, part)
 
-                for item in h_new:
+                for item in h_cur:
                     txt = "%s\t\t%s ACE is not present in the" \
                           " reference\n" % (txt, item)
 
@@ -524,9 +423,9 @@ def get_diff_sddls(refsddl, cursddl):
                     txt = "%s\t\t%s ACE is not present in the" \
                           " current\n" % (txt, item)
 
-        elif hash_new.has_key(part) and not hash_ref.has_key(part):
+        elif hash_cur.has_key(part) and not hash_ref.has_key(part):
             txt = "%s\tReference ACL hasn't a %s part\n" % (txt, part)
-        elif not hash_new.has_key(part) and hash_ref.has_key(part):
+        elif not hash_cur.has_key(part) and hash_ref.has_key(part):
             txt = "%s\tCurrent ACL hasn't a %s part\n" % (txt, part)
 
     return txt
@@ -541,7 +440,7 @@ def update_secrets(newsecrets_ldb, secrets_ldb, messagefunc):
         of the updated provision
     """
 
-    messagefunc(SIMPLE, "update secrets.ldb")
+    messagefunc(SIMPLE, "Update of secrets.ldb")
     reference = newsecrets_ldb.search(expression="dn=@MODULES", base="",
                                         scope=SCOPE_SUBTREE)
     current = secrets_ldb.search(expression="dn=@MODULES", base="",
@@ -649,7 +548,7 @@ def getOEMInfo(samdb, rootdn):
     """
     res = samdb.search(expression="(objectClass=*)", base=str(rootdn),
                             scope=SCOPE_BASE, attrs=["dn", "oEMInformation"])
-    if len(res) > 0:
+    if len(res) > 0 and res[0].get("oEMInformation"):
         info = res[0]["oEMInformation"]
         return info
     else:
@@ -666,7 +565,10 @@ def updateOEMInfo(samdb, rootdn):
     res = samdb.search(expression="(objectClass=*)", base=rootdn,
                             scope=SCOPE_BASE, attrs=["dn", "oEMInformation"])
     if len(res) > 0:
-        info = res[0]["oEMInformation"]
+        if res[0].get("oEMInformation"):
+            info = str(res[0]["oEMInformation"])
+        else:
+            info = ""
         info = "%s, upgrade to %s" % (info, version)
         delta = ldb.Message()
         delta.dn = ldb.Dn(samdb, str(res[0]["dn"]))